Lucene search
K

5613 matches found

PyPA
PyPA
•added 2014/11/03 10:55 p.m.•12 views

PYSEC-2014-50

The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG...

5CVSS7.4AI score0.02337EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2014/11/03 10:55 p.m.•5 views

PYSEC-2014-51

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator PRNG, which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability...

5CVSS6.9AI score0.02337EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2014/11/03 10:55 p.m.•7 views

PYSEC-2014-42

The batch id change script renameObjectsByPaths.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request...

4.3CVSS6.8AI score0.01087EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/10/27 1:55 a.m.•7 views

PYSEC-2014-25

The fromyaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method...

7.5CVSS7.8AI score0.02409EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/10/27 1:55 a.m.•6 views

PYSEC-2014-24

emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method...

7.5CVSS7.8AI score0.02409EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/10/25 10:55 p.m.•8 views

PYSEC-2014-77

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; semi-colon and a Content-Type that would not be accepted, as...

6.8CVSS7.5AI score0.03101EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/10/25 9:55 p.m.•7 views

PYSEC-2014-91

The shellquote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" backslash characters to form multi-command sequences, a different...

7.5CVSS8.1AI score0.03388EPSS
Exploits5References8Affected Software1
PyPA
PyPA
•added 2014/10/25 9:55 p.m.•7 views

PYSEC-2014-92

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323...

7.5CVSS7.5AI score0.02851EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2014/10/25 9:55 p.m.•7 views

PYSEC-2014-90

The shellquote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$" command-substitution sequences, a different vulnerability than CVE-2014-1928...

7.5CVSS8.1AI score0.03388EPSS
Exploits5References8Affected Software1
PyPA
PyPA
•added 2014/10/15 2:55 p.m.•6 views

PYSEC-2014-13

Requests aka python-requests before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request...

5CVSS7.1AI score0.022EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/10/15 2:55 p.m.•6 views

PYSEC-2014-14

Requests aka python-requests before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request...

5CVSS6.6AI score0.02036EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/10/02 2:55 p.m.•5 views

PYSEC-2014-26

OpenStack keystonemiddleware formerly python-keystoneclient 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration paste.ini file regardless of the value, which allows remote attackers to conduct man-in-the-middle...

4.3CVSS6.8AI score0.01948EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/10/02 2:55 p.m.•8 views

PYSEC-2014-71

OpenStack keystonemiddleware formerly python-keystoneclient 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration paste.ini file regardless of the value, which allows remote attackers to conduct man-in-the-middle...

4.3CVSS6.8AI score0.01948EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-31

The App.Undo.UndoSupport.getrequestvarorattr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors...

6.5CVSS7.1AI score0.01272EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-36

Cross-site scripting XSS vulnerability in pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "u,translate."...

4.3CVSS6AI score0.01187EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•8 views

PYSEC-2014-32

Cross-site scripting XSS vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.01187EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-74

The App.Undo.UndoSupport.getrequestvarorattr function in Zope before 2.12.21 and 2.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors...

6.5CVSS7.1AI score0.01272EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•5 views

PYSEC-2014-39

membershiptool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL...

5CVSS6.8AI score0.02118EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-49

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation...

4.3CVSS7.1AI score0.00933EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•12 views

PYSEC-2014-45

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors...

5CVSS6.9AI score0.014EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-46

Cross-site scripting XSS vulnerability in widgettraversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.01187EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-73

ZPublisher.HTTPRequest.scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed LF character...

6.4CVSS7.1AI score0.02479EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•5 views

PYSEC-2014-30

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject...

5CVSS7.4AI score0.02589EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-44

Cross-site scripting XSS vulnerability in safehtml.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors...

3.5CVSS5.9AI score0.00967EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-35

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors...

8.5CVSS7.7AI score0.01695EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•5 views

PYSEC-2014-40

queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection...

5CVSS6.8AI score0.02641EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-75

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation...

4.3CVSS7.1AI score0.00933EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-28

ZPublisher.HTTPRequest.scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed LF character...

6.4CVSS7.1AI score0.02479EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•8 views

PYSEC-2014-41

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service memory consumption via a large value, related to formatColumns...

5CVSS6.8AI score0.02427EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-48

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service infinite loop via an RSS feed request for a folder the user does not have permission to access...

5CVSS6.7AI score0.01604EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-34

uidcatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL...

5CVSS6.8AI score0.014EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-43

atdownload.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs Files and Images stored on custom content types via a crafted URL...

5CVSS6.7AI score0.014EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-47

atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name...

5CVSS6.8AI score0.014EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•5 views

PYSEC-2014-27

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface...

6.8CVSS7.5AI score0.02066EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-33

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id...

4.3CVSS6.9AI score0.01231EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-38

kupuspellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service ZServer thread lock via a crafted URL...

5CVSS6.7AI score0.01604EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-29

The sandbox whitelisting function allowmodule.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing...

8.5CVSS7.7AI score0.01695EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•8 views

PYSEC-2014-37

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "goback."...

5CVSS7.4AI score0.01663EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/29 10:55 p.m.•8 views

PYSEC-2014-115

The urlopen function in pym/portage/util/urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate...

9.3CVSS6.8AI score0.01557EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2014/08/26 2:55 p.m.•5 views

PYSEC-2014-6

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors...

6CVSS6.8AI score0.01961EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/08/26 2:55 p.m.•5 views

PYSEC-2014-5

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause ...

4.3CVSS6.9AI score0.02449EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/08/26 2:55 p.m.•9 views

PYSEC-2014-4

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // slash slash in a URL, which triggers a scheme-relative URL...

5.8CVSS7AI score0.02277EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/08/26 2:55 p.m.•7 views

PYSEC-2014-7

The administrative interface contrib.admin in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a tofield...

3.5CVSS6.4AI score0.01984EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2014/08/25 2:55 p.m.•6 views

PYSEC-2014-107

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

4.9CVSS6.7AI score0.01592EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/08/25 2:55 p.m.•5 views

PYSEC-2014-108

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

4.9CVSS6.8AI score0.01515EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/08/25 2:55 p.m.•6 views

PYSEC-2014-109

OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain...

4.9CVSS6.8AI score0.01488EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/08/25 2:55 p.m.•6 views

PYSEC-2014-10

PIL/IcnsImagePlugin.py in Python Imaging Library PIL and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size...

5CVSS6.7AI score0.03587EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/08/22 5:55 p.m.•5 views

PYSEC-2014-18

Multiple unspecified vulnerabilities in Salt aka SaltStack before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in 1 seed.py, 2 salt-ssh, or 3 salt-cloud...

7.2CVSS6.9AI score0.00407EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/08/07 11:13 a.m.•7 views

PYSEC-2014-21

IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page...

6.8CVSS7.8AI score0.04665EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2014/06/19 10:50 a.m.•7 views

PYSEC-2014-114

Cross-site scripting XSS vulnerability in lua/hostdetails.lua in ntopng 1.1 allows remote attackers to inject arbitrary web script or HTML via the host parameter...

4.3CVSS6AI score0.01233EPSS
Exploits2References5Affected Software1
Total number of security vulnerabilities5613