5616 matches found
PYSEC-2017-134
There is a stack consumption vulnerability in the Exiv2::Internal::stringFormat function of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service attack...
PYSEC-2017-136
A NULL pointer dereference was discovered in Exiv2::Image::printIFDStructure in image.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service...
PYSEC-2017-133
There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack...
PYSEC-2017-132
An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service...
PYSEC-2017-38
When using the localbatch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed...
PYSEC-2017-39
Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's sshclient...
PYSEC-2017-51
Multiple cross-site request forgery CSRF vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x...
PYSEC-2017-52
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator...
PYSEC-2017-150
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow...
PYSEC-2017-65
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow...
PYSEC-2017-53
Cross-site scripting XSS vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1...
PYSEC-2017-54
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses...
PYSEC-2017-152
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploi...
PYSEC-2017-45
Cross-site scripting XSS vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path...
PYSEC-2017-16
Cross-site request forgery CSRF vulnerability in Kallithea before 0.2...
PYSEC-2017-46
Cross-site scripting XSS vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path...
PYSEC-2017-47
Cross-site request forgery in the REST API in IPython 2 and 3...
PYSEC-2017-17
Multiple cross-site scripting XSS vulnerabilities in the administration pages in Kallithea before 0.2.1 allow remote attackers to inject arbitrary web script or HTML via the 1 first name or 2 last name user details, or the 3 repository, 4 repository group, or 5 user group description...
PYSEC-2017-5
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability...
PYSEC-2017-27
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection...
PYSEC-2017-147
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the loc...
PYSEC-2017-44
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you...
PYSEC-2017-83
Scrapy 1.4 allows remote attackers to cause a denial of service memory consumption via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by...
PYSEC-2017-114
Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service infinite loop via a crafted resource record s...
PYSEC-2017-107
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality...
PYSEC-2017-106
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script...
PYSEC-2017-109
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Reflected XSS in the search functionality...
PYSEC-2017-110
Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information...
PYSEC-2017-111
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to cross frame scripting...
PYSEC-2017-108
Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to DOM XSS in the edit-tag functionality...
PYSEC-2017-105
Apache Atlas versions 0.6.0 incubating, 0.7.0 incubating, and 0.7.1 incubating allow access to the webapp directory contents by pointing to URIs like /js and /img...
PYSEC-2017-66
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service bad response, or have other unspecified impact by performing a man-in-the-middle attack...
PYSEC-2017-31
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules...
PYSEC-2017-49
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service bad response, or have other unspecified impact by performing a man-in-the-middle attack...
PYSEC-2017-24
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
PYSEC-2017-151
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID...
PYSEC-2017-35
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID...
PYSEC-2017-41
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups...
PYSEC-2017-128
There is an illegal address access in Exiv2::FileIo::pathabi:cxx11 in basicio.cpp of libexiv2 in Exiv2 0.26 that will lead to remote denial of service...
PYSEC-2017-129
There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26 that is triggered in the Exiv2::Image::io function in image.cpp. It will lead to remote denial of service...
PYSEC-2017-127
There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. The vulnerability causes an out-of-bounds write in Exiv2::Image::printIFDStructure, which may lead to remote denial of service or possibly unspecified other impact...
PYSEC-2017-11
Cross-site request forgery CSRF vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors...
PYSEC-2017-6
attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file"...
PYSEC-2017-1
The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack...
PYSEC-2017-69
Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrapsocket function in Python with the default CERTNONE value for the certreqs argument...
PYSEC-2017-145
OpenStack Compute nova Icehouse, Juno and Havana when live migration fails allows local users to access VM volumes that they would normally not have permissions for...
PYSEC-2017-50
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode...
PYSEC-2017-71
winuseradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs...
PYSEC-2017-148
Cross-site scripting XSS vulnerability in ZMI pages that use the managetabsmessage in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12...
PYSEC-2017-126
There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input...