Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2023/08/24 11:15 p.m.•6 views

PYSEC-2023-269

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint /proxy/?url= does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and...

7.5CVSS6.7AI score0.00638EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/08/08 4:15 p.m.•6 views

PYSEC-2023-143

Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...

5.4CVSS6.9AI score0.00467EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/08/04 6:15 p.m.•6 views

PYSEC-2023-140

MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with verify=False disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version...

9.1CVSS6.9AI score0.0024EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/08/04 4:15 p.m.•6 views

PYSEC-2023-139

Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle MITM attack. Attackers with...

9.3CVSS6.8AI score0.00229EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2023/08/03 7:36 p.m.•6 views

PYSEC-2023-135

Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems...

9.8CVSS8.3AI score0.00468EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/08/01 1:15 a.m.•6 views

PYSEC-2023-280

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0...

8.8CVSS7.1AI score0.01195EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/26 12:15 p.m.•6 views

PYSEC-2023-125

FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00636EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/07/26 10:15 a.m.•6 views

PYSEC-2023-122

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition...

9.8CVSS7.1AI score0.00657EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/07/25 10:15 p.m.•6 views

PYSEC-2023-132

copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter ?k304=... and ?setck=.... The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of t...

6.3CVSS6.4AI score0.06195EPSS
Exploits3References4Affected Software1
PyPA
PyPA
•added 2023/07/19 7:15 p.m.•6 views

PYSEC-2023-128

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted...

2.8CVSS6.5AI score0.00203EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2023/07/12 10:15 a.m.•6 views

PYSEC-2023-119

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL.It is recommended to upgrade to a version that is not affected...

6.5CVSS6.5AI score0.00757EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2023/07/12 10:15 a.m.•6 views

PYSEC-2023-104

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the runid parameter. This vulnerability is considered low since it requires an authenticated user to exploit i...

6.5CVSS6.6AI score0.01874EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/12 10:15 a.m.•6 views

PYSEC-2023-106

Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang.It is recommended to upgrade to a version that is not affected...

6.5CVSS6.8AI score0.01157EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/11 3:15 p.m.•6 views

PYSEC-2023-116

xalpha v0.11.4 is vulnerable to Remote Command Execution RCE...

9.8CVSS7.2AI score0.01406EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/07/06 11:15 p.m.•6 views

PYSEC-2023-115

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry...

6.8CVSS6.6AI score0.00636EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/07/06 2:15 p.m.•6 views

PYSEC-2023-109

An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method...

9.8CVSS8.1AI score0.0188EPSS
Exploits2References3Affected Software1
PyPA
PyPA
•added 2023/07/05 8:15 p.m.•6 views

PYSEC-2023-108

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took...

7.5CVSS6.7AI score0.01082EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/06/06 7:15 p.m.•6 views

PYSEC-2023-85

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the urlpreviewurlblacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the...

5.4CVSS6.7AI score0.00605EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/05/26 2:15 p.m.•6 views

PYSEC-2023-67

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disable...

5CVSS6.8AI score0.00981EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/05/19 8:15 p.m.•6 views

PYSEC-2023-80

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked nonpayable. This applies to contracts compiled with vyper version...

5.3CVSS6.8AI score0.00553EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/05/18 8:15 p.m.•6 views

PYSEC-2023-73

redis-7.0.10 was discovered to contain a segmentation violation...

7.5CVSS7.2AI score0.01028EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/05/08 12:15 p.m.•6 views

PYSEC-2023-59

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0...

9.8CVSS7.1AI score0.0228EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/05/07 2:15 a.m.•6 views

PYSEC-2023-61

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField only the last uploaded file was validated. However,...

9.8CVSS7.1AI score0.0138EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/05/02 9:15 a.m.•6 views

PYSEC-2023-72

UNSUPPORTED WHEN ASSIGNED The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in...

8.8CVSS7.7AI score0.92984EPSS
Exploits12References5Affected Software1
PyPA
PyPA
•added 2023/04/24 10:15 p.m.•6 views

PYSEC-2023-131

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the rawcall with revertonfailure=False and maxoutsize=0 receives the wrong response from rawcall. Depending on the...

7.5CVSS6.8AI score0.00883EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2023/04/20 9:15 p.m.•6 views

PYSEC-2023-40

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export a non-default feature. Organizers can trigger the overwriting with the standard pretalx 404 page content of an arbitrary file...

4.3CVSS6.9AI score0.03429EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2023/04/03 5:15 p.m.•6 views

PYSEC-2023-55

Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting XSS vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for th...

6.4CVSS5.6AI score0.00772EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2023/03/24 3:15 p.m.•6 views

PYSEC-2023-28

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2...

5.3CVSS6.8AI score0.00578EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/03/04 12:15 a.m.•6 views

PYSEC-2023-54

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS6.9AI score0.00571EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/02/27 9:15 p.m.•6 views

PYSEC-2023-15

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity XXE injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version...

6.5CVSS7.6AI score0.00836EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/02/14 8:15 p.m.•6 views

PYSEC-2023-58

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. ...

7.5CVSS7.5AI score0.0142EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/02/03 8:15 p.m.•6 views

PYSEC-2023-39

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. isvalidethsignature is missing a call to finalizekeccak after calling verifyethsignature. As a result, any contract using isvalidethsignature from the...

6.4CVSS6.9AI score0.0022EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/01/30 5:15 a.m.•6 views

PYSEC-2023-298

isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF...

5.3CVSS7AI score0.00558EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/01/26 9:18 p.m.•6 views

PYSEC-2023-21

LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back...

5.4CVSS7.2AI score0.00384EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2023/01/24 12:0 a.m.•6 views

PYSEC-2023-1

Adyen has utility methods for validating notification HMAC signatures. The isvalidhmac and isvalidhmacnotification methods are vulnerable to a timing attack, you should compare the hash of the HMACs instead...

6.9AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/01/19 6:15 p.m.•6 views

PYSEC-2023-283

Cross-Site Request Forgery CSRF in GitHub repository modoboa/modoboa prior to 2.0.4...

5.4CVSS6.7AI score0.00386EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/01/19 9:15 a.m.•6 views

PYSEC-2023-282

Cross-Site Request Forgery CSRF in GitHub repository modoboa/modoboa prior to 2.0.4...

6.5CVSS6.7AI score0.00348EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2023/01/17 10:15 p.m.•6 views

PYSEC-2023-25

mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service ReDoS prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for t...

7.5CVSS6.8AI score0.28661EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2023/01/05 9:15 a.m.•6 views

PYSEC-2023-14

UNSUPPPORTED WHEN ASSIGNED UNSUPPORTED WHEN ASSIGNED A vulnerability classified as problematic was found in University of Cambridge django-ucamlookup up to 1.9.1. Affected by this vulnerability is an unknown functionality of the component Lookup Handler. The manipulation leads to cross site...

6.1CVSS6.2AI score0.00548EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/12/27 3:15 p.m.•6 views

PYSEC-2022-43010

Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5...

9.8CVSS6.7AI score0.00827EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/27 3:15 p.m.•6 views

PYSEC-2022-43009

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5...

6.5CVSS6.8AI score0.00632EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/27 3:15 p.m.•6 views

PYSEC-2022-43006

Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5...

6.1CVSS6.8AI score0.00481EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/27 11:15 a.m.•6 views

PYSEC-2022-43014

A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16. This issue affects the function calculatex of the file srp/ctsrp.py. The manipulation leads to information exposure through discrepancy. Upgrading to version 1.0.17 is able to address this issue. T...

7.5CVSS6.8AI score0.00705EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2022/12/25 5:15 a.m.•6 views

PYSEC-2022-43013

Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp...

7.5CVSS6.9AI score0.00469EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/12/23 12:15 a.m.•6 views

PYSEC-2022-43012

Python Packaging Authority PyPA setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service ReDoS in packageindex.py...

5.9CVSS6.7AI score0.02617EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2022/12/23 12:15 a.m.•6 views

PYSEC-2022-43017

An issue discovered in Python Packaging Authority PyPA Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli...

7.5CVSS6.8AI score0.02659EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/22 2:15 a.m.•6 views

PYSEC-2022-43004

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.5.4...

6.5CVSS6.7AI score0.00313EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/12/17 2:15 a.m.•6 views

PYSEC-2022-43016

A vulnerability, which was classified as problematic, has been found in UBI Reader up to 0.8.0. Affected by this issue is the function ubireaderextractfiles of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation leads to path traversal. The attack may be...

7.1CVSS7AI score0.00537EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2022/12/17 12:15 a.m.•6 views

PYSEC-2022-42994

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine...

7.8CVSS6.8AI score0.0059EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/12/13 11:15 p.m.•6 views

PYSEC-2022-43155

wasm3 commit 7890a2097569fde845881e0b352d813573e371f9 was discovered to contain a segmentation fault via the component opCallIndirect at /m3exec.h...

5.5CVSS7.3AI score0.00305EPSS
Exploits1References2Affected Software1
Total number of security vulnerabilities5000