Lucene search
K

5613 matches found

PyPA
PyPA
added 2014/06/18 2:55 p.m.5 views

PYSEC-2014-99

Multiple cross-site scripting XSS vulnerabilities in the responderror function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATHINFO to 1 resources.js or 2 resources.css in ajenti:static/, related to the traceback page...

4.3CVSS6AI score0.02282EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2014/06/16 6:55 p.m.7 views

PYSEC-2014-78

Cross-site scripting XSS vulnerability in util/templatetags/djbletsjs.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user na...

4.3CVSS6AI score0.02392EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added 2014/06/16 6:55 p.m.7 views

PYSEC-2014-79

Cross-site scripting XSS vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name...

4.3CVSS6AI score0.02083EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2014/06/09 7:55 p.m.6 views

PYSEC-2014-89

python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors...

7.5CVSS7.8AI score0.02851EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2014/05/29 2:19 p.m.6 views

PYSEC-2014-100

The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access to the 1 ipaNTTrustAuthIncoming and 2 ipaNTTrustAuthOutgoing attributes, which allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified vectors...

5CVSS7AI score0.02118EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/05/29 2:19 p.m.10 views

PYSEC-2014-103

The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access to the 1 ipaNTTrustAuthIncoming and 2 ipaNTTrustAuthOutgoing attributes, which allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified vectors...

5CVSS7AI score0.02118EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/05/27 1:55 p.m.8 views

PYSEC-2014-110

Multiple cross-site scripting XSS vulnerabilities in apps/common/templates/calculateformtitle.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a 1 tag or the 2 title of a source in a Staging folder, 3 Name field in a bootstrap setup, or Title fie...

3.5CVSS5.7AI score0.03476EPSS
Exploits1References10Affected Software1
PyPA
PyPA
added 2014/05/20 2:55 p.m.8 views

PYSEC-2014-86

The 1 makenonce, 2 generatenonce, and 3 generateverifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack...

5.8CVSS6.9AI score0.0243EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/05/20 2:55 p.m.6 views

PYSEC-2014-85

The Server.verifyrequest function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL...

4.3CVSS7AI score0.02409EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/19 2:55 p.m.5 views

PYSEC-2014-8

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with jinja2 in /tmp...

4.4CVSS7AI score0.00373EPSS
Exploits0References18Affected Software1
PyPA
PyPA
added 2014/05/19 2:55 p.m.5 views

PYSEC-2014-82

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402...

4.4CVSS6.9AI score0.0043EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added 2014/05/16 3:55 p.m.6 views

PYSEC-2014-19

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

6.4CVSS6.7AI score0.02546EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/05/16 3:55 p.m.6 views

PYSEC-2014-20

The django.util.http.issafeurl function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."...

4.3CVSS7AI score0.03123EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2014/05/14 7:55 p.m.5 views

PYSEC-2014-9

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting XSS attacks via control characters in the link scheme to the cleanhtml function...

6.1CVSS6.1AI score0.06333EPSS
Exploits1References15Affected Software1
PyPA
PyPA
added 2014/05/08 2:29 p.m.6 views

PYSEC-2014-112

The instance rescue mode in OpenStack Compute Nova 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and usecowimages is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image...

3.5CVSS6.6AI score0.01488EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/05/05 5:6 p.m.7 views

PYSEC-2014-94

PyWBEM 0.7 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.8AI score0.00907EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/05/05 5:6 p.m.5 views

PYSEC-2014-93

PyWBEM 0.7 and earlier uses a separate connection to validate X.509 certificates, which allows man-in-the-middle attackers to spoof a peer via an arbitrary certificate...

5.8CVSS6.9AI score0.01772EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.9 views

PYSEC-2014-65

Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope...

5CVSS7AI score0.014EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-68

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.10 views

PYSEC-2014-67

Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope...

5CVSS7AI score0.014EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-66

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/05/02 1:59 a.m.7 views

PYSEC-2014-72

Transifex command-line client before 0.10 does not validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2073...

4.3CVSS7AI score0.00828EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/04/30 11:58 p.m.46 views

PYSEC-2014-98

Cross-site scripting XSS vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality...

3.5CVSS6.1AI score0.01487EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2014/04/27 8:55 p.m.9 views

PYSEC-2014-87

Python Image Library PIL 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py...

10CVSS7.9AI score0.12055EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.11 views

PYSEC-2014-1

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."...

5.1CVSS7.4AI score0.0565EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.8 views

PYSEC-2014-3

The 1 FilePathField, 2 GenericIPAddressField, and 3 IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, relate...

10CVSS7.2AI score0.04753EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.6 views

PYSEC-2014-2

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users...

5CVSS7AI score0.0199EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/04/17 2:55 p.m.7 views

PYSEC-2014-23

The 1 JpegImagePlugin.py and 2 EpsImagePlugin.py scripts in Python Image Library PIL 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes...

2.1CVSS6.6AI score0.00448EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2014/04/17 2:55 p.m.10 views

PYSEC-2014-22

The 1 loaddjpeg function in JpegImagePlugin.py, 2 Ghostscript function in EpsImagePlugin.py, 3 load function in IptcImagePlugin.py, and 4 copy function in Image.py in Python Image Library PIL 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users...

4.4CVSS6.4AI score0.00492EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2014/04/15 2:55 p.m.9 views

PYSEC-2014-106

The V3 API in OpenStack Identity Keystone 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service CPU consumption via a large number of the same authentication method in a request, aka "authentication chaining."...

7.8CVSS6.9AI score0.03155EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/04/15 2:55 p.m.7 views

PYSEC-2014-70

The authtoken middleware in the OpenStack Python client library for Keystone aka python-keystoneclient before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, relat...

6CVSS7.1AI score0.01101EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/04/11 3:55 p.m.6 views

PYSEC-2014-16

Cross-site scripting XSS vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1...

4.3CVSS6AI score0.01983EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/04/11 3:55 p.m.6 views

PYSEC-2014-15

Cross-site scripting XSS vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link...

4.3CVSS6AI score0.01983EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/04/10 8:29 p.m.6 views

PYSEC-2014-96

Cross-site scripting XSS vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter...

4.3CVSS6AI score0.01837EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/04/01 6:35 a.m.9 views

PYSEC-2014-105

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

5CVSS6.8AI score0.01367EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2014/03/25 4:55 p.m.6 views

PYSEC-2014-113

The VMWare driver in OpenStack Compute Nova 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service resource consumption by requesting the VM be put into rescue and then deleting the imag...

2.3CVSS6.7AI score0.00705EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.35 views

PYSEC-2014-59

Multiple open redirect vulnerabilities in 1 marmosetpatch.py, 2 publish.py, and 3 principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

5.8CVSS7.1AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.33 views

PYSEC-2014-61

memberportrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors...

5.5CVSS6.9AI score0.01255EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-52

traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service infinite loop and resource consumption via unspecified vectors related to "retrieving information for certain resources."...

4.3CVSS6.7AI score0.01347EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.10 views

PYSEC-2014-57

typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL...

4.3CVSS6.9AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-60

The object manager implementation objectmanager.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request...

5CVSS6.5AI score0.0138EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.9 views

PYSEC-2014-53

Multiple unspecified vulnerabilities in 1 dataitems.py, 2 get.py, and 3 traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors...

6.5CVSS7AI score0.01255EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-58

The WYSIWYG component wysiwyg.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message...

4.3CVSS6.6AI score0.01214EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.11 views

PYSEC-2014-55

zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive...

5.8CVSS6.6AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-56

sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors...

4CVSS6.8AI score0.01095EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.9 views

PYSEC-2014-54

Multiple cross-site scripting XSS vulnerabilities in 1 spamProtect.py, 2 pts.py, and 3 request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.01807EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.6 views

PYSEC-2014-62

mailpassword.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality...

4CVSS7AI score0.01116EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-63

1 cbdecode.py and 2 linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service resource consumption via a large zip archive, which is expanded decompressed...

3.5CVSS6.7AI score0.01076EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.6 views

PYSEC-2014-83

The 1 extractkeysfrompdf and 2 fillpdf functions in pdfext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf...

4.4CVSS7AI score0.00343EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-84

The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file...

4.4CVSS6.7AI score0.00355EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities5613