Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
added 2014/05/27 1:55 p.m.7 views

PYSEC-2014-110

Multiple cross-site scripting XSS vulnerabilities in apps/common/templates/calculateformtitle.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a 1 tag or the 2 title of a source in a Staging folder, 3 Name field in a bootstrap setup, or Title fie...

3.5CVSS5.7AI score0.03476EPSS
Exploits1References10Affected Software1
PyPA
PyPA
added 2014/05/20 2:55 p.m.7 views

PYSEC-2014-86

The 1 makenonce, 2 generatenonce, and 3 generateverifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack...

5.8CVSS6.9AI score0.0243EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/05/05 5:6 p.m.7 views

PYSEC-2014-94

PyWBEM 0.7 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.8AI score0.00907EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/05/02 1:59 a.m.7 views

PYSEC-2014-72

Transifex command-line client before 0.10 does not validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2073...

4.3CVSS7AI score0.00828EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/04/17 2:55 p.m.7 views

PYSEC-2014-23

The 1 JpegImagePlugin.py and 2 EpsImagePlugin.py scripts in Python Image Library PIL 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes...

2.1CVSS6.6AI score0.00448EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2014/04/15 2:55 p.m.7 views

PYSEC-2014-70

The authtoken middleware in the OpenStack Python client library for Keystone aka python-keystoneclient before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, relat...

6CVSS7.1AI score0.01101EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-63

1 cbdecode.py and 2 linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service resource consumption via a large zip archive, which is expanded decompressed...

3.5CVSS6.7AI score0.01076EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-84

The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file...

4.4CVSS6.7AI score0.00355EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/02/18 7:55 p.m.7 views

PYSEC-2014-12

The OpenStack Python client library for Swift python-swiftclient 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

5.8CVSS6.6AI score0.00732EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/02/14 3:55 p.m.7 views

PYSEC-2014-102

OpenStack Image Registry and Delivery Service Glance 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading th...

2.6CVSS6.5AI score0.00314EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/01/28 12:55 a.m.7 views

PYSEC-2014-17

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS6.6AI score0.00351EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/01/07 6:55 p.m.7 views

PYSEC-2014-97

Libcloud 0.12.3 through 0.13.2 does not set the scrubdata parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM...

2.1CVSS6.2AI score0.0206EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2013/12/27 1:55 a.m.7 views

PYSEC-2013-45

keystone/middleware/authtoken.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova...

2.1CVSS6.6AI score0.00238EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2013/11/05 6:55 p.m.7 views

PYSEC-2013-14

Salt aka SaltStack before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key...

4.9CVSS6.9AI score0.01473EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2013/10/04 5:55 p.m.7 views

PYSEC-2013-21

The issafeurl function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting XSS or other vulnerabilities into Django applications that use this function, a...

4.3CVSS6.2AI score0.02297EPSS
Exploits0References14Affected Software1
PyPA
PyPA
added 2013/09/30 9:55 p.m.7 views

PYSEC-2013-31

The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate...

4.3CVSS6.8AI score0.01197EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2013/09/23 8:55 p.m.7 views

PYSEC-2013-42

The 1 mamcache and 2 KVS token backends in OpenStack Identity Keystone Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token...

5CVSS6.9AI score0.02342EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2013/08/06 2:52 a.m.7 views

PYSEC-2013-10

pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation...

6.8CVSS7.8AI score0.02083EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2013/03/22 9:55 p.m.7 views

PYSEC-2013-39

OpenStack Keystone Folsom 2012.2 does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token...

6.8CVSS7AI score0.02608EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2013/02/24 9:55 p.m.7 views

PYSEC-2013-37

store/swift.py in OpenStack Glance Essex 2012.1, Folsom 2012.2 before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive...

4CVSS6.6AI score0.02965EPSS
Exploits0References13Affected Software1
PyPA
PyPA
added 2013/01/03 1:55 a.m.7 views

PYSEC-2013-6

Multiple unrestricted file upload vulnerabilities in the 1 twikidraw action/twikidraw.py and 2 anywikidraw action/anywikidraw.py actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, the...

6CVSS8AI score0.30566EPSS
Exploits7References14Affected Software1
PyPA
PyPA
added 2013/01/03 1:55 a.m.7 views

PYSEC-2013-23

Cross-site scripting XSS vulnerability in the rsslink function in theme/init.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link...

4.3CVSS6AI score0.02095EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2012/12/26 10:55 p.m.7 views

PYSEC-2012-42

OpenStack Compute Nova Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume PV content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume L...

4.3CVSS5.8AI score0.01994EPSS
Exploits0References11
PyPA
PyPA
added 2012/12/26 10:55 p.m.7 views

PYSEC-2012-41

OpenStack Compute Nova Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume PV content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume L...

4.3CVSS6.3AI score0.01994EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2012/12/18 1:55 a.m.7 views

PYSEC-2012-20

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression...

4.9CVSS6.8AI score0.0284EPSS
Exploits1References12Affected Software1
PyPA
PyPA
added 2012/11/18 11:55 p.m.7 views

PYSEC-2012-7

The django.http.HttpRequest.gethost function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values...

6.4CVSS7.3AI score0.03635EPSS
Exploits1References18Affected Software1
PyPA
PyPA
added 2012/11/11 1:0 p.m.7 views

PYSEC-2012-29

The v1 API in OpenStack Glance Grizzly, Folsom 2012.2, and Essex 2012.1 allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482...

5.5CVSS7.1AI score0.03318EPSS
Exploits0References18Affected Software1
PyPA
PyPA
added 2012/11/04 10:55 p.m.7 views

PYSEC-2012-12

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted...

5.9CVSS6.8AI score0.01208EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2012/07/31 5:55 p.m.7 views

PYSEC-2012-3

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service memory consumption by uploading an image file...

5CVSS6.8AI score0.02641EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2012/07/31 10:45 a.m.7 views

PYSEC-2012-34

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by 1 creating new tokens through token chaining, 2 leveraging...

4.9CVSS6.8AI score0.02266EPSS
Exploits1References17Affected Software1
PyPA
PyPA
added 2012/07/22 4:55 p.m.7 views

PYSEC-2012-39

virt/disk/api.py in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image...

5.5CVSS6.9AI score0.02582EPSS
Exploits1References14Affected Software1
PyPA
PyPA
added 2012/07/17 9:55 p.m.7 views

PYSEC-2012-40

The Nova scheduler in OpenStack Compute Nova Folsom 2012.2 and Essex 2012.1, when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated users to cause a denial of service excessive database lookup calls and server hang via a request with many repeated IDs in the...

3.5CVSS6.7AI score0.01846EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2012/06/17 3:41 a.m.7 views

PYSEC-2012-16

PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key...

4.3CVSS6.7AI score0.02727EPSS
Exploits2References15Affected Software1
PyPA
PyPA
added 2012/05/01 7:55 p.m.7 views

PYSEC-2012-15

Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem...

5.1CVSS7AI score0.0404EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2012/03/19 7:55 p.m.7 views

PYSEC-2012-31

libs/updater.py in GoLismero 0.6.3, and other versions before Git revision 2b3bb43d6867, as used in backtrack and possibly other products, allows local users to overwrite arbitrary files via a symlink attack on GoLismero-controlled files, as demonstrated using Admin/changes.dat...

3.3CVSS6.8AI score0.00307EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2011/10/19 10:55 a.m.7 views

PYSEC-2011-4

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request...

5CVSS6.9AI score0.02304EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2011/10/19 10:55 a.m.7 views

PYSEC-2011-2

The verifyexists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service resource consumption via a URL associated with...

6.4CVSS7AI score0.04266EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2011/04/11 6:55 p.m.7 views

PYSEC-2011-19

feedparser.py in Universal Feed Parser aka feedparser or python-feedparser before 5.0.1 allows remote attackers to cause a denial of service application crash via a malformed DOCTYPE declaration...

5CVSS6.8AI score0.03233EPSS
Exploits1References12Affected Software1
PyPA
PyPA
added 2011/02/22 6:0 p.m.7 views

PYSEC-2011-6

Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some...

2.6CVSS6.1AI score0.02517EPSS
Exploits1References15Affected Software1
PyPA
PyPA
added 2010/10/19 8:0 p.m.7 views

PYSEC-2010-21

FTPServer.py in pyftpdlib before 0.2.0 does not increment the attemptedlogins count for a USER command that specifies an invalid username, which makes it easier for remote attackers to obtain access via a brute-force attack...

7.5CVSS6.9AI score0.01354EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2010/10/19 8:0 p.m.7 views

PYSEC-2010-25

The ftpPORT function in FTPServer.py in pyftpdlib before 0.2.0 does not prevent TCP connections to privileged ports if the destination IP address matches the source IP address of the connection from the FTP client, which might allow remote authenticated users to conduct FTP bounce attacks via...

7.5CVSS6.8AI score0.01959EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2010/09/14 7:0 p.m.7 views

PYSEC-2010-12

Cross-site scripting XSS vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken aka csrftoken cookie...

4.3CVSS6AI score0.019EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2010/02/26 7:30 p.m.7 views

PYSEC-2010-15

Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x before 1.8.7, and 1.9.x before 1.9.2 has unknown impact and attack vectors, related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured...

6.8CVSS6.9AI score0.02181EPSS
Exploits0References20Affected Software1
PyPA
PyPA
added 2010/02/26 7:30 p.m.7 views

PYSEC-2010-14

MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAYINTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors...

5CVSS6.7AI score0.01869EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2009/10/13 10:30 a.m.7 views

PYSEC-2009-4

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service CPU consumption via a crafted 1 EmailField email address or 2 URLField URL that triggers a large amount of backtracking in a regular...

5CVSS6.7AI score0.03686EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2009/08/26 2:24 p.m.7 views

PYSEC-2009-2

Multiple cross-site scripting XSS vulnerabilities in Buildbot 0.7.6 through 0.7.11p2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, different vulnerabilities than CVE-2009-2959...

4.3CVSS6AI score0.02265EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2009/08/04 4:30 p.m.7 views

PYSEC-2009-3

The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL...

5CVSS6.9AI score0.02265EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2009/04/23 5:30 p.m.7 views

PYSEC-2009-17

The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors...

6CVSS5.9AI score0.00962EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2009/02/02 7:30 p.m.7 views

PYSEC-2009-15

Array index error in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service application crash and possibly execute arbitrary code via crafted Sync Sample aka stss atom da...

9.3CVSS6.2AI score0.06483EPSS
Exploits1References18Affected Software1
PyPA
PyPA
added 2008/07/27 10:41 p.m.7 views

PYSEC-2008-5

Cross-site scripting XSS vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors...

4.3CVSS6AI score0.01335EPSS
Exploits1References9Affected Software1
Total number of security vulnerabilities5000