Lucene search
K

5616 matches found

PyPA
PyPA
•added 2016/02/08 7:59 p.m.•6 views

PYSEC-2016-14

Django 1.9.x before 1.9.2, when ModelAdmin.saveas is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission...

6CVSS6.9AI score0.01522EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/02/03 6:59 p.m.•6 views

PYSEC-2016-36

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name...

10CVSS7AI score0.02945EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2016/02/03 6:59 p.m.•9 views

PYSEC-2016-37

Radicale before 1.1 allows remote authenticated users to bypass ownerwrite and owneronly limitations via regex metacharacters in the user name, as demonstrated by "."...

5.3CVSS6.8AI score0.02219EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2016/02/03 6:59 p.m.•6 views

PYSEC-2016-20

The identity service in OpenStack Identity Keystone before 2015.1.3 Kilo and 8.0.x before 8.0.2 Liberty and keystonemiddleware formerly python-keystoneclient before 1.5.4 Kilo and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers,...

7.5CVSS6.9AI score0.01708EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2016/01/13 3:59 p.m.•6 views

PYSEC-2016-10

The verify function in the RSA package for Python Python-RSA before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack...

5.3CVSS6.8AI score0.07054EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2016/01/08 8:59 p.m.•6 views

PYSEC-2016-32

The FontManager.getnixfontpath function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name...

9.3CVSS7.8AI score0.06664EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2015/12/07 8:59 p.m.•5 views

PYSEC-2015-11

The getformat function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRETKEY...

5CVSS6.8AI score0.04284EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2015/11/25 8:59 p.m.•8 views

PYSEC-2015-28

OpenStack Ironic Inspector aka ironic-inspector or ironic-discoverd, when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error...

6.8CVSS7.8AI score0.01585EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2015/11/17 3:59 p.m.•8 views

PYSEC-2015-41

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider SP owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name...

4CVSS6.7AI score0.013EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2015/11/17 3:59 p.m.•6 views

PYSEC-2015-42

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...

5.5CVSS6.6AI score0.01493EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2015/10/29 8:59 p.m.•7 views

PYSEC-2015-13

CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the camefrom parameter to admin/login...

5CVSS7.6AI score0.06039EPSS
Exploits6References5Affected Software1
PyPA
PyPA
•added 2015/09/29 7:59 p.m.•5 views

PYSEC-2015-25

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types...

6.8CVSS7.6AI score0.01685EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2015/09/29 7:59 p.m.•7 views

PYSEC-2015-27

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types...

6.8CVSS7.6AI score0.01685EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2015/09/21 7:59 p.m.•6 views

PYSEC-2015-26

Cross-site scripting XSS vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site reque...

4.3CVSS6AI score0.02768EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2015/09/21 7:59 p.m.•5 views

PYSEC-2015-24

Cross-site scripting XSS vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site reque...

4.3CVSS6AI score0.02768EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2015/08/24 2:59 p.m.•11 views

PYSEC-2015-22

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service session store consumption or session record removal via a large number of requests to...

5CVSS6.9AI score0.05163EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2015/08/24 2:59 p.m.•5 views

PYSEC-2015-23

The 1 contrib.sessions.backends.base.SessionBase.flush and 2 cachedb.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service session stor...

5CVSS6.9AI score0.04928EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2015/08/20 8:59 p.m.•6 views

PYSEC-2015-40

Cross-site scripting XSS vulnerability in the Orchestration/Stack section in OpenStack Dashboard Horizon 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handl...

4.3CVSS6AI score0.02758EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2015/08/19 3:59 p.m.•7 views

PYSEC-2015-39

The import task action in OpenStack Image Service Glance 2015.1.x before 2015.1.2 kilo, when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image...

3.5CVSS6.7AI score0.01499EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2015/08/12 2:59 p.m.•5 views

PYSEC-2015-1

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

4.3CVSS6.9AI score0.00933EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2015/07/14 5:59 p.m.•5 views

PYSEC-2015-20

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service session store consumption via multiple requests with unique session keys...

7.8CVSS6.8AI score0.07266EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2015/07/14 5:59 p.m.•8 views

PYSEC-2015-10

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an 1 email message to the EmailValidator, a ...

4.3CVSS7.1AI score0.03665EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2015/07/14 5:59 p.m.•5 views

PYSEC-2015-21

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service CPU consumption via unspecified vectors...

7.8CVSS6.8AI score0.02975EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2015/06/16 4:59 p.m.•6 views

PYSEC-2015-2

ceph-deploy before 1.5.23 uses weak permissions 644 for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file...

2.1CVSS6.2AI score0.00376EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2015/06/08 2:59 p.m.•5 views

PYSEC-2015-3

The admin command in ceph-deploy before 1.5.25 uses world-readable permissions for /etc/ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file...

2.1CVSS6.4AI score0.00383EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2015/06/02 2:59 p.m.•8 views

PYSEC-2015-19

The session.flush function in the cacheddb backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key...

5CVSS7AI score0.01748EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2015/05/01 3:59 p.m.•5 views

PYSEC-2015-15

The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image...

5CVSS6.7AI score0.01991EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2015/04/24 2:59 p.m.•6 views

PYSEC-2015-12

django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXTFILTERSETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors...

5CVSS7AI score0.01792EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2015/04/17 5:59 p.m.•7 views

PYSEC-2015-30

The s3token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration paste.ini file regardless of the value, which allows remote attackers to conduct...

4.3CVSS7AI score0.02586EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2015/04/17 5:59 p.m.•7 views

PYSEC-2015-31

The s3token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration paste.ini file regardless of the value, which allows remote attackers to conduct...

4.3CVSS7AI score0.02586EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2015/03/31 2:59 p.m.•5 views

PYSEC-2015-14

The validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command...

7.5CVSS7.7AI score0.04199EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2015/03/31 2:59 p.m.•7 views

PYSEC-2015-34

The buildindexfromtree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree...

7.5CVSS7.9AI score0.05032EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2015/03/31 2:59 p.m.•6 views

PYSEC-2015-35

Buffer overflow in the C implementation of the applydelta function in pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file...

7.5CVSS8.2AI score0.03375EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2015/03/25 2:59 p.m.•5 views

PYSEC-2015-9

The utils.http.issafeurl function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting XSS attacks via a control character in a URL, as demonstrated by a...

4.3CVSS6.1AI score0.0499EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2015/03/25 2:59 p.m.•6 views

PYSEC-2015-18

The utils.html.striptags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service infinite loop by increasing the length of the input string...

5CVSS6.8AI score0.0496EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2015/03/18 4:59 p.m.•6 views

PYSEC-2015-17

The resolveredirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect...

6.8CVSS5.6AI score0.03408EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2015/03/12 2:59 p.m.•4 views

PYSEC-2015-8

Cross-site scripting XSS vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonlyfields, as demonstrated by a @property...

4.3CVSS6AI score0.02052EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2015/02/24 3:59 p.m.•8 views

PYSEC-2015-38

OpenStack Image Registry and Delivery Service Glance 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service disk consumption by creating a large number of images using the task v2 API and then deleting them, a different...

4CVSS6.8AI score0.02101EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2015/02/24 3:59 p.m.•9 views

PYSEC-2015-37

OpenStack Image Registry and Delivery Service Glance 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service disk consumption by creating a large number of images using the task v2 API and then deleting them before the uploads...

4CVSS6.8AI score0.02101EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2015/02/16 3:59 p.m.•10 views

PYSEC-2015-33

RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the 1 updaterepo, 2 getlocks, or 3 getusergroups API method...

4CVSS6.6AI score0.00947EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2015/02/16 3:59 p.m.•7 views

PYSEC-2015-32

RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the getrepo API method...

4CVSS6.6AI score0.01207EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2015/02/16 3:59 p.m.•8 views

PYSEC-2015-29

RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the getrepo API method...

4CVSS6.6AI score0.01207EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•6 views

PYSEC-2015-5

The django.util.http.issafeurl function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting XSS attacks via a crafted URL, related to redirect URLs, as demonstrated by a...

4.3CVSS6AI score0.03028EPSS
Exploits1References13Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•8 views

PYSEC-2015-4

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an underscore character instead of a - dash character in an HTTP header, as demonstrated by an X-AuthUser header...

5CVSS7AI score0.06783EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•7 views

PYSEC-2015-16

Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed...

5CVSS6.8AI score0.05426EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•8 views

PYSEC-2015-7

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when showhiddeninitial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries...

5CVSS7.4AI score0.0269EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•5 views

PYSEC-2015-6

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service memory consumption via a long line in a file...

5CVSS6.8AI score0.04334EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2015/01/02 8:59 p.m.•9 views

PYSEC-2015-36

Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp in Exiv2 0.24 allows remote attackers to cause a denial of service crash via a long IKEY INFO tag value in an AVI file...

5CVSS7.1AI score0.03654EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/11/24 3:59 p.m.•5 views

PYSEC-2014-11

pip 1.3 through 1.5.6 allows local users to cause a denial of service prevention of package installation by creating a /tmp/pip-build- file for another user...

2.1CVSS6.4AI score0.00393EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/11/19 6:59 p.m.•4 views

PYSEC-2014-101

FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind...

3.5CVSS7.3AI score0.01787EPSS
Exploits0References8Affected Software1
Total number of security vulnerabilities5616