Lucene search
K
PypaMost viewed

5624 matches found

PyPA
PyPA
•added 2022/08/18 7:15 p.m.•8 views

PYSEC-2022-249

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting XSS vulnerabilities if the...

7.5CVSS8.2AI score0.01102EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/08/03 2:15 p.m.•8 views

PYSEC-2022-245

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input...

8.8CVSS6.9AI score0.00654EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/07/28 11:15 p.m.•8 views

PYSEC-2022-43174

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package...

9.8CVSS7.8AI score0.01011EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/07/26 6:15 a.m.•8 views

PYSEC-2022-244

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files...

7.5CVSS6.8AI score0.01336EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/07/25 2:15 p.m.•8 views

PYSEC-2022-43182

Withdrawn as duplicate of PYSEC-2022-239. The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim...

8CVSS6.8AI score0.00698EPSS
Exploits1References2
PyPA
PyPA
•added 2022/07/22 3:15 p.m.•8 views

PYSEC-2022-43166

The scu-captcha package in PyPI v0.0.1 to v0.0.4 included a code execution backdoor inserted by a third party...

9.8CVSS7.6AI score0.01254EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/07/22 3:15 p.m.•8 views

PYSEC-2022-242

The PyCrowdTangle package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party...

9.8CVSS7.7AI score0.01254EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/07/11 1:15 a.m.•8 views

PYSEC-2022-225

The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...

9.3CVSS7.1AI score0.01576EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/07/06 6:15 p.m.•8 views

PYSEC-2022-233

opensshkeyparser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker...

7.7CVSS6.8AI score0.01239EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/07/05 12:15 p.m.•8 views

PYSEC-2022-43185

A stored Cross-site Scripting XSS vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location...

5.4CVSS6AI score0.00484EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/06/27 6:15 p.m.•8 views

PYSEC-2022-222

The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a...

7.5CVSS7AI score0.02042EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•8 views

PYSEC-2022-43176

The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS7.9AI score0.01302EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•8 views

PYSEC-2022-43169

The Togglee package in PyPI version v0.0.8 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS7.9AI score0.01931EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/06/09 4:15 a.m.•8 views

PYSEC-2022-208

django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the AWSLOCATION setting was set, traversal was limited to that location only. The issue was...

9.8CVSS6.9AI score0.01935EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/05/24 5:55 p.m.•8 views

PYSEC-2022-199

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items when instantiating Ctx objects...

7.2AI score
Exploits0References1Affected Software1
PyPA
PyPA
•added 2022/05/20 7:15 p.m.•8 views

PYSEC-2022-43154

WASM3 v0.5.0 was discovered to contain a heap overflow via the component /wabt/bin/poc.wasm...

7.8CVSS7.6AI score0.0039EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/05/06 12:15 a.m.•8 views

PYSEC-2022-187

TkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version...

4.3CVSS6.8AI score0.00503EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/04/25 10:15 p.m.•8 views

PYSEC-2022-193

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he captcha.validate function would return None if passed no value e.g. by submitting an having an empty form. If implementing users...

5.3CVSS6.6AI score0.01126EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/04/13 10:15 p.m.•8 views

PYSEC-2022-198

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of .returnsint128 is not validated to fall within the bounds of int128. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0,...

9.8CVSS6.8AI score0.01377EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2022/04/12 5:15 a.m.•8 views

PYSEC-2022-191

A SQL injection issue was discovered in QuerySet.explain in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary with dictionary expansion as the options argument, and placing the injection payload in an option name...

9.8CVSS8AI score0.02919EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/03/31 11:15 p.m.•8 views

PYSEC-2022-178

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perfo...

7.5CVSS7AI score0.01366EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/21 7:15 p.m.•8 views

PYSEC-2022-170

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of...

9.8CVSS6.9AI score0.01582EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/17 9:15 p.m.•8 views

PYSEC-2022-229

gradio is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, gradio suffers from Improper Neutralization of Formula Elements in a CSV File. The gradio library has a flagging functionality which saves input/output data into a CSV file on t...

8.8CVSS7.2AI score0.01248EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/17 1:15 p.m.•8 views

PYSEC-2022-169

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and...

7.5CVSS6.9AI score0.01738EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/03/07 11:15 p.m.•8 views

PYSEC-2022-34

HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and...

6.5CVSS6.8AI score0.01625EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/25 9:15 p.m.•8 views

PYSEC-2022-35

Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed i...

5.4CVSS6.5AI score0.00741EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/02/23 11:15 p.m.•8 views

PYSEC-2022-33

b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race...

4.7CVSS6AI score0.00214EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/02/23 9:15 a.m.•8 views

PYSEC-2022-28

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1...

8.2CVSS6.8AI score0.01551EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/07 10:15 p.m.•8 views

PYSEC-2022-27

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advise...

7.5CVSS6.9AI score0.01381EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-85

Tensorflow is an Open Source Machine Learning Framework. The implementation of OpLevelCostEstimator::CalculateOutputSize is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements. We can have a large enough number ...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-155

Tensorflow is an Open Source Machine Learning Framework. The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel. This...

7.5CVSS7.4AI score0.00789EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-99

Tensorflow is an Open Source Machine Learning Framework. A GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it. We have patched the issue in multiple...

7.5CVSS7AI score0.00973EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-68

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both embeddingsize and lookupsize are products of values provided by the user. Hence, a malicious user could trigger overflows in the...

8.8CVSS7.1AI score0.01173EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-87

Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize. Here, we set item-kernel to nullptr but it is a simple OpKernel pointer so the memory that was previously allocated to it...

4.3CVSS6.9AI score0.00716EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-73

Tensorflow is an Open Source Machine Learning Framework. When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow...

6.5CVSS6.8AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-83

Tensorflow is an Open Source Machine Learning Framework. There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write. Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg from outside the...

8.8CVSS7AI score0.00837EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-129

Tensorflow is an Open Source Machine Learning Framework. An attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on...

6.5CVSS6.9AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-139

Tensorflow is an Open Source Machine Learning Framework. The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements. The fix will be included in...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-144

Tensorflow is an Open Source Machine Learning Framework. During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, a...

6.5CVSS7AI score0.00821EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-128

Tensorflow is an Open Source Machine Learning Framework. When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow...

6.5CVSS6.8AI score0.00469EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-81

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the DCHECK function however, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first cas...

6.5CVSS7AI score0.00992EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-67

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate. The TfLiteIntArrayGetSizeInBytes returns an int instead of a sizet. An attacker can control model inputs such that computedsize overflows the...

8.8CVSS7.2AI score0.00811EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-130

Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in Grappler. The setoutput function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also...

8.8CVSS7AI score0.00924EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-148

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After png::CommonFreeDecode gets called, the values of decode.width and decode.height are in an unspecified state. The fix will be included in TensorFlow 2.8.0. ...

7.6CVSS7AI score0.00725EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•8 views

PYSEC-2022-121

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would trigger a division by zero in BiasAndClamp implementation. There is no check that the biassize is non zero. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on...

6.5CVSS7AI score0.00757EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 2:15 p.m.•8 views

PYSEC-2022-62

Tensorflow is an Open Source Machine Learning Framework. The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this comm...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•8 views

PYSEC-2022-53

Tensorflow is an Open Source Machine Learning Framework. The implementation of UnravelIndex is vulnerable to a division by zero caused by an integer overflow bug. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlo...

6.5CVSS7.2AI score0.00783EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 1:15 p.m.•8 views

PYSEC-2022-78

Tensorflow is an Open Source Machine Learning Framework. Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 and has similar fixes. We have patched the reported issues in multiple GitHub commits. I...

6.5CVSS7AI score0.00458EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/02/03 12:15 p.m.•8 views

PYSEC-2022-115

Tensorflow is an Open Source Machine Learning Framework. The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value. The 3 input arguments to SparseTensorSliceDataset represent a sparse tensor. However, there are...

7.6CVSS6.9AI score0.00746EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 11:15 a.m.•8 views

PYSEC-2022-50

Tensorflow is an Open Source Machine Learning Framework. The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses. The axis argument can be -1 the default value for the optional argument or any other positive value at most the number of...

8.8CVSS7AI score0.00818EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000