Lucene search
K

5616 matches found

PyPA
PyPA
•added 2017/02/22 4:59 p.m.•8 views

PYSEC-2017-14

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...

6.1CVSS6.1AI score0.02141EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2017/02/15 7:59 p.m.•7 views

PYSEC-2017-48

Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document...

8.2CVSS6.9AI score0.01159EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/02/15 3:59 p.m.•7 views

PYSEC-2017-94

Heap-based buffer overflow in the ALGnew function in blocktemplace.c in Python Cryptography Toolkit aka pycrypto allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py...

9.8CVSS8.3AI score0.09501EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2017/02/09 8:59 p.m.•5 views

PYSEC-2017-104

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and...

5.9CVSS6.6AI score0.01263EPSS
Exploits3References7Affected Software1
PyPA
PyPA
•added 2017/02/09 8:59 p.m.•8 views

PYSEC-2017-103

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and...

5.9CVSS6.6AI score0.01263EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/02/07 5:59 p.m.•7 views

PYSEC-2017-34

Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching...

9.1CVSS6.9AI score0.02581EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/02/04 5:59 a.m.•7 views

PYSEC-2017-64

Cross-site scripting XSS vulnerability in the managefindResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the objids:tokens parameter...

6.1CVSS6.1AI score0.01575EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2017/01/31 7:59 p.m.•8 views

PYSEC-2017-33

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient...

5.6CVSS7.2AI score0.00873EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/30 10:59 p.m.•8 views

PYSEC-2017-20

Cross-site scripting XSS vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

6.1CVSS6AI score0.01452EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/01/30 10:59 p.m.•7 views

PYSEC-2017-32

The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file...

3.3CVSS6.2AI score0.00407EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/23 9:59 p.m.•8 views

PYSEC-2017-28

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys...

9.8CVSS7.1AI score0.02094EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/01/19 8:59 p.m.•7 views

PYSEC-2017-74

The tqdm.version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory...

7.8CVSS7.5AI score0.00438EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/01/11 4:59 p.m.•8 views

PYSEC-2017-98

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. Thi...

3.7CVSS6.6AI score0.00775EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/10 3:59 p.m.•6 views

PYSEC-2017-93

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority informati...

7.5CVSS6.6AI score0.01792EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/10 3:59 p.m.•7 views

PYSEC-2017-87

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK...

7.8CVSS6.8AI score0.01757EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/12/23 10:59 p.m.•5 views

PYSEC-2016-39

An exploitable out-of-bounds array access vulnerability exists in the xrowheaderdecode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's valu...

7.8CVSS6.8AI score0.03675EPSS
Exploits2References4Affected Software1
PyPA
PyPA
•added 2016/12/21 10:59 p.m.•8 views

PYSEC-2016-21

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted document...

8.8CVSS7AI score0.02354EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/12/16 9:59 a.m.•6 views

PYSEC-2016-24

redirect in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect"233\r\nSet-Cookie: name=salt" call...

6.5CVSS6.9AI score0.01761EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/12/09 8:59 p.m.•6 views

PYSEC-2016-18

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...

8.1CVSS7AI score0.06074EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/12/09 8:59 p.m.•5 views

PYSEC-2016-17

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually...

9.8CVSS6.9AI score0.05144EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/11/10 5:59 p.m.•7 views

PYSEC-2016-30

MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation or crafted URL" approach, related to a "Cross Site Scripting XSS" issue affecting the action=fckdialog=attachment via page name component...

6.1CVSS6.5AI score0.01186EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2016/11/10 5:59 p.m.•7 views

PYSEC-2016-31

MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation" approach, related to a "Cross Site Scripting XSS" issue affecting the action=AttachFile via page name component...

6.1CVSS6.5AI score0.01186EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2016/11/04 10:59 a.m.•8 views

PYSEC-2016-9

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component...

7.8CVSS7.9AI score0.02026EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2016/11/04 10:59 a.m.•5 views

PYSEC-2016-8

Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.mapbuffer in map.c component...

5.5CVSS6.5AI score0.01861EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2016/10/07 6:59 p.m.•8 views

PYSEC-2016-25

flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect...

7.4CVSS6.9AI score0.00795EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2016/10/03 6:59 p.m.•6 views

PYSEC-2016-3

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies...

7.5CVSS7.2AI score0.0613EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2016/09/26 4:59 p.m.•6 views

PYSEC-2016-22

OpenStack Murano before 1.0.3 liberty and 2.x before 2.0.1 mitaka, Murano-dashboard before 1.0.3 liberty and 2.x before 2.0.1 mitaka, and python-muranoclient before 0.7.3 liberty and 0.8.x before 0.8.5 mitaka improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files,...

9.8CVSS8AI score0.03166EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•7 views

PYSEC-2016-13

fileopen in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors...

4.4CVSS6.9AI score0.01819EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•6 views

PYSEC-2016-41

fileopen in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors...

4.4CVSS6.9AI score0.01819EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•7 views

PYSEC-2016-40

Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors...

5.3CVSS7AI score0.01587EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•5 views

PYSEC-2016-12

Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors...

5.3CVSS7AI score0.01587EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/09/01 11:59 p.m.•6 views

PYSEC-2016-4

The Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack MMA...

5.3CVSS6.8AI score0.02226EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2016/08/05 3:59 p.m.•9 views

PYSEC-2016-2

Cross-site scripting XSS vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors...

6.1CVSS6AI score0.05536EPSS
Exploits6References18Affected Software1
PyPA
PyPA
•added 2016/06/13 2:59 p.m.•7 views

PYSEC-2016-38

The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...

4.3CVSS6.8AI score0.01402EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/06/03 2:59 p.m.•8 views

PYSEC-2016-1

The createscript function in the lxccontainer module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on 1 /opt/.lxc-attach-script, 2 the archived container in the archivepath directory, or the 3...

7.8CVSS7.1AI score0.00468EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2016/05/09 8:59 p.m.•9 views

PYSEC-2016-28

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name...

8.8CVSS7.8AI score0.02655EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/04/15 5:59 p.m.•7 views

PYSEC-2016-34

The TripleO Heat templates tripleo-heat-templates do not properly order the Identity Service keystone before the OpenStack Object Storage Swift staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive...

7.5CVSS6.6AI score0.02415EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•8 views

PYSEC-2016-26

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository...

8.8CVSS7.9AI score0.05405EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•7 views

PYSEC-2016-7

Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow...

10CVSS7.8AI score0.07871EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•8 views

PYSEC-2016-29

The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a 1 clone, 2 push, or 3 pull command, related to a a list sizing rounding error and b short records...

8.8CVSS8AI score0.04832EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•6 views

PYSEC-2016-6

Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service crash via a crafted FLI file...

6.5CVSS7AI score0.02689EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•4 views

PYSEC-2016-5

Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file...

6.5CVSS7.2AI score0.0236EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•6 views

PYSEC-2016-19

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library PIL 1.1.7 and earlier allows remote attackers to cause a denial of service crash via a crafted PhotoCD file...

6.5CVSS7AI score0.03998EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•6 views

PYSEC-2016-27

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository...

8.8CVSS7.9AI score0.04953EPSS
Exploits0References18Affected Software1
PyPA
PyPA
•added 2016/04/13 3:59 p.m.•8 views

PYSEC-2016-11

model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records...

4.3CVSS7AI score0.0115EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2016/04/13 2:59 p.m.•5 views

PYSEC-2016-33

schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details...

4.3CVSS6.5AI score0.01535EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/04/12 2:59 p.m.•6 views

PYSEC-2016-23

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream...

8.1CVSS7.9AI score0.01516EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/04/11 9:59 p.m.•6 views

PYSEC-2016-35

The TripleO Heat templates tripleo-heat-templates, when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter...

7.5CVSS7AI score0.01651EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/04/08 3:59 p.m.•8 views

PYSEC-2016-16

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests...

3.1CVSS7AI score0.03317EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2016/04/08 3:59 p.m.•8 views

PYSEC-2016-15

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

7.4CVSS6.3AI score0.04035EPSS
Exploits0References14Affected Software1
Total number of security vulnerabilities5616