Lucene search
K
PypaMost viewed

5631 matches found

PyPA
PyPA
added 2023/05/11 10:15 p.m.8 views

PYSEC-2023-79

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the type...

7.5CVSS6.8AI score0.00725EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/05/11 9:15 p.m.8 views

PYSEC-2023-78

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of...

7.5CVSS7.1AI score0.00913EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/05/10 6:15 p.m.8 views

PYSEC-2023-63

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS7.2AI score0.00241EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/05/09 3:15 p.m.8 views

PYSEC-2023-64

mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have...

9.8CVSS6.9AI score0.00659EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/05/08 5:15 p.m.8 views

PYSEC-2023-76

Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8...

7.5CVSS6.8AI score0.00697EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/05/08 10:15 a.m.8 views

PYSEC-2023-60

Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0...

5.4CVSS6.9AI score0.01911EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/04/20 9:15 p.m.8 views

PYSEC-2023-41

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export a non-default feature. Users were able to upload crafted HTML documents that trigger the reading of arbitrary files...

6.5CVSS7AI score0.06648EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/04/18 4:15 p.m.8 views

PYSEC-2023-34

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0...

9.8CVSS6.8AI score0.00619EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/04/15 8:16 p.m.8 views

PYSEC-2023-22

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attacke...

6.3CVSS7.1AI score0.00299EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/04/07 3:15 p.m.8 views

PYSEC-2023-3

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2...

7.5CVSS7AI score0.02062EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/04/05 2:15 a.m.8 views

PYSEC-2023-18

In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method...

9.8CVSS8.2AI score0.39653EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/03/26 7:15 p.m.8 views

PYSEC-2023-46

redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time in the case of a non-pipeline operation, and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858...

6.5CVSS7.1AI score0.01034EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/03/16 9:15 p.m.8 views

PYSEC-2023-50

Streamlit, software for turning data scripts into web applications, had a cross-site scripting XSS vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit apps were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to ...

6.1CVSS5.5AI score0.00407EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/03/08 12:15 a.m.8 views

PYSEC-2023-86

OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution, and could lead to arbitrary file reads from an...

8.2CVSS7AI score0.00985EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/03/06 11:15 p.m.8 views

PYSEC-2023-42

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1...

7.5CVSS6.9AI score0.00623EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/03/06 11:15 p.m.8 views

PYSEC-2023-270

A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images...

2.8CVSS6.4AI score0.00323EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/02/15 1:15 a.m.8 views

PYSEC-2023-13

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs e.g., an excessive number of parts to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for ...

7.5CVSS7AI score0.62575EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2023/02/10 7:15 p.m.8 views

PYSEC-2023-32

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4...

9.8CVSS6.8AI score0.15088EPSS
Exploits4References6Affected Software1
PyPA
PyPA
added 2023/02/07 9:15 p.m.8 views

PYSEC-2023-11

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.updateinto would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects such as bytes to b...

6.5CVSS8.2AI score0.01301EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/02/06 5:15 p.m.8 views

PYSEC-2023-208

A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the component User Information Handler. The manipulation leads to information disclosure. The attack may ...

4.3CVSS6.8AI score0.00666EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2023/01/30 5:15 a.m.8 views

PYSEC-2023-298

isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF...

5.3CVSS7AI score0.00558EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/12/27 11:15 a.m.8 views

PYSEC-2022-43014

A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16. This issue affects the function calculatex of the file srp/ctsrp.py. The manipulation leads to information exposure through discrepancy. Upgrading to version 1.0.17 is able to address this issue. T...

7.5CVSS6.8AI score0.00705EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2022/12/23 12:15 a.m.8 views

PYSEC-2022-43012

Python Packaging Authority PyPA setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service ReDoS in packageindex.py...

5.9CVSS6.7AI score0.02617EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2022/12/23 12:15 a.m.8 views

PYSEC-2022-42991

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server...

7.5CVSS7.3AI score0.01804EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added 2022/12/23 12:15 a.m.8 views

PYSEC-2022-43017

An issue discovered in Python Packaging Authority PyPA Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli...

7.5CVSS6.8AI score0.02659EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/12/15 9:15 p.m.8 views

PYSEC-2022-42990

A vulnerability was found in collective.task up to 3.0.9. It has been classified as problematic. This affects the function renderCell/AssignedGroupColumn of the file src/collective/task/browser/table.py. The manipulation leads to cross site scripting. It is possible to initiate the attack remotel...

6.1CVSS6.1AI score0.00542EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2022/12/14 3:15 p.m.8 views

PYSEC-2022-42989

A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent up to 1.6. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross site scripting. The attack may be initiated...

6.1CVSS6AI score0.00492EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2022/12/12 6:15 p.m.8 views

PYSEC-2022-43002

Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2...

9.8CVSS6.7AI score0.00789EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/12/06 8:15 p.m.8 views

PYSEC-2022-42998

A directory traversal vulnerability in the SevenZipFile.extractall function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file...

9.1CVSS7AI score0.02242EPSS
Exploits3References7Affected Software1
PyPA
PyPA
added 2022/12/06 6:15 p.m.8 views

PYSEC-2022-42997

Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator...

7.5CVSS6.8AI score0.00791EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/14 10:15 a.m.8 views

PYSEC-2022-42982

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided runid parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0...

8.8CVSS7.6AI score0.85653EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added 2022/11/12 8:15 p.m.8 views

PYSEC-2022-43055

Hyperledger Fabric 2.3 allows attackers to cause a denial of service orderer crash by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist...

7.5CVSS6.7AI score0.00797EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/11/09 8:15 p.m.8 views

PYSEC-2022-43178

An exponential ReDoS Regular Expression Denial of Service can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.setrows method...

7.5CVSS7AI score0.00909EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/11/07 3:15 p.m.8 views

PYSEC-2022-43130

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/07 3:15 p.m.8 views

PYSEC-2022-43089

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/07 3:15 p.m.8 views

PYSEC-2022-43126

The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-timezones package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.00991EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/07 3:15 p.m.8 views

PYSEC-2022-43086

The d8s-stats for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-math package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.01012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/04 11:0 a.m.8 views

PYSEC-2022-42969

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS Regular expression Denial of Service attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled...

7.5CVSS7AI score0.01546EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/11/02 12:15 p.m.8 views

PYSEC-2022-42971

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's /confirm endpoint...

6.1CVSS6.8AI score0.01494EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2022/10/16 6:15 a.m.8 views

PYSEC-2022-43183

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS Regular expression Denial of Service attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not bein...

7.5CVSS6.7AI score0.01546EPSS
Exploits1References4
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43019

The d8s-algorithms package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0...

9.8CVSS7AI score0.0483EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43032

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43046

The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43031

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43024

The d8s-file-system package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hashes package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/03 12:15 p.m.8 views

PYSEC-2022-300

A Server Side Request Forgery SSRF in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling...

6.5CVSS7AI score0.05088EPSS
Exploits3References5Affected Software1
PyPA
PyPA
added 2022/09/22 7:15 p.m.8 views

PYSEC-2022-289

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.7...

7CVSS6.7AI score0.00375EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/22 10:15 a.m.8 views

PYSEC-2022-284

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.6...

6.8CVSS6.7AI score0.00319EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/21 12:15 p.m.8 views

PYSEC-2022-283

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3...

8.8CVSS6.7AI score0.00437EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/21 8:15 a.m.8 views

PYSEC-2022-279

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction...

7.5CVSS6.7AI score0.01573EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000