Lucene search
K

5613 matches found

PyPA
PyPA
•added 2011/12/31 1:55 a.m.•9 views

PYSEC-2011-23

virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/...

1.2CVSS6.7AI score0.00324EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2011/12/30 1:55 a.m.•10 views

PYSEC-2011-22

Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service CPU consumption by sending many crafted parameters...

5CVSS6.8AI score0.02153EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2011/12/05 11:55 a.m.•6 views

PYSEC-2011-17

Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryddetach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving...

6.9CVSS7.3AI score0.00346EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•6 views

PYSEC-2011-5

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page...

6.8CVSS7.2AI score0.01093EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•7 views

PYSEC-2011-4

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request...

5CVSS6.9AI score0.02304EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•6 views

PYSEC-2011-1

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that...

5.8CVSS6.9AI score0.02284EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•7 views

PYSEC-2011-2

The verifyexists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service resource consumption via a URL associated with...

6.4CVSS7AI score0.04266EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2011/10/19 10:55 a.m.•6 views

PYSEC-2011-3

The verifyexists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitra...

5CVSS7AI score0.02341EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/10/10 10:55 a.m.•10 views

PYSEC-2011-27

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587...

9.3CVSS7.1AI score0.78546EPSS
Exploits15References5Affected Software1
PyPA
PyPA
•added 2011/10/10 10:55 a.m.•10 views

PYSEC-2011-26

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p class in OFS/misc.py and the use of Python modules...

9.3CVSS7.7AI score0.78546EPSS
Exploits15References9Affected Software1
PyPA
PyPA
•added 2011/09/12 12:41 p.m.•6 views

PYSEC-2011-24

libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle MITM attack...

4.3CVSS6.9AI score0.01379EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2011/07/19 8:55 p.m.•10 views

PYSEC-2011-32

Unspecified vulnerability in 1 Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and 2 PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability...

7.5CVSS5.8AI score0.03171EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2011/07/19 8:55 p.m.•8 views

PYSEC-2011-25

Unspecified vulnerability in 1 Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and 2 PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability...

7.5CVSS7.3AI score0.03171EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2011/06/06 7:55 p.m.•6 views

PYSEC-2011-14

Cross-site scripting XSS vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL...

4.3CVSS5.9AI score0.02367EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/06/06 7:55 p.m.•11 views

PYSEC-2011-16

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011...

5.5CVSS7AI score0.01579EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2011/06/06 7:55 p.m.•8 views

PYSEC-2011-15

Cross-site scripting XSS vulnerability in the safehtml filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422...

4.3CVSS6AI score0.01257EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/04/11 6:55 p.m.•6 views

PYSEC-2011-18

Cross-site scripting XSS vulnerability in feedparser.py in Universal Feed Parser aka feedparser or python-feedparser before 5.0 allows remote attackers to inject arbitrary web script or HTML via vectors involving nested CDATA stanzas...

4.3CVSS6AI score0.0453EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2011/04/11 6:55 p.m.•6 views

PYSEC-2011-21

Cross-site scripting XSS vulnerability in feedparser.py in Universal Feed Parser aka feedparser or python-feedparser 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI...

4.3CVSS6AI score0.02326EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2011/04/11 6:55 p.m.•7 views

PYSEC-2011-19

feedparser.py in Universal Feed Parser aka feedparser or python-feedparser before 5.0.1 allows remote attackers to cause a denial of service application crash via a malformed DOCTYPE declaration...

5CVSS6.8AI score0.03233EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2011/04/11 6:55 p.m.•6 views

PYSEC-2011-20

Cross-site scripting XSS vulnerability in feedparser.py in Universal Feed Parser aka feedparser or python-feedparser 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments...

4.3CVSS6.1AI score0.02443EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2011/03/14 7:55 p.m.•5 views

PYSEC-2011-7

Multiple SQL injection vulnerabilities in the getuserinfo method in the MySQLAuthHandler class in DAVServer/mysqlauth.py in PyWebDAV before 0.9.4.1 allow remote attackers to execute arbitrary SQL commands via the 1 user or 2 pw argument. NOTE: some of these details are obtained from third party...

7.5CVSS8.8AI score0.01796EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2011/02/22 6:0 p.m.•7 views

PYSEC-2011-6

Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some...

2.6CVSS6.1AI score0.02517EPSS
Exploits1References15Affected Software1
PyPA
PyPA
•added 2011/02/14 9:0 p.m.•11 views

PYSEC-2011-30

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged AJAX requests that leverage a "combination of browser plugins...

6.8CVSS5.8AI score0.01589EPSS
Exploits1References18Affected Software1
PyPA
PyPA
•added 2011/02/14 9:0 p.m.•10 views

PYSEC-2011-31

Cross-site scripting XSS vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload...

4.3CVSS5.9AI score0.01774EPSS
Exploits0References18Affected Software1
PyPA
PyPA
•added 2011/02/14 9:0 p.m.•6 views

PYSEC-2011-10

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged AJAX requests that leverage a "combination of browser plugins...

6.8CVSS6.9AI score0.01589EPSS
Exploits1References19Affected Software1
PyPA
PyPA
•added 2011/02/14 9:0 p.m.•6 views

PYSEC-2011-12

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / slash character in a key in a session cookie, related to session replays...

7.5CVSS7.1AI score0.02856EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2011/02/14 9:0 p.m.•6 views

PYSEC-2011-11

Cross-site scripting XSS vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload...

4.3CVSS6AI score0.01774EPSS
Exploits0References19Affected Software1
PyPA
PyPA
•added 2011/02/03 5:0 p.m.•6 views

PYSEC-2011-13

Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors...

7.5CVSS7.1AI score0.03171EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2011/01/10 8:0 p.m.•9 views

PYSEC-2011-29

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service resource consumption via a URL that...

5CVSS5.8AI score0.03348EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2011/01/10 8:0 p.m.•10 views

PYSEC-2011-28

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series...

4CVSS5.8AI score0.01697EPSS
Exploits1References18Affected Software1
PyPA
PyPA
•added 2011/01/10 8:0 p.m.•6 views

PYSEC-2011-9

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service resource consumption via a URL that...

5CVSS6.9AI score0.03348EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2011/01/10 8:0 p.m.•5 views

PYSEC-2011-8

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series...

4CVSS6.5AI score0.01697EPSS
Exploits1References19Affected Software1
PyPA
PyPA
•added 2010/11/06 12:0 a.m.•6 views

PYSEC-2010-29

Multiple cross-site scripting XSS vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to 1 paste.urlparser.StaticURLParser, 2...

4.3CVSS5.9AI score0.02288EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•5 views

PYSEC-2010-10

Memory leak in the ondtpclose function in ftpserver.py in pyftpdlib before 0.5.2 allows remote authenticated users to cause a denial of service memory consumption by sending a QUIT command during a data transfer...

4CVSS6.8AI score0.01156EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•5 views

PYSEC-2010-8

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the getpeername function having an ENOTCONN error, a different vulnerabilit...

4.3CVSS7AI score0.01582EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•5 views

PYSEC-2010-24

The ftpSTOU function in FTPServer.py in pyftpdlib before 0.2.0 does not limit the number of attempts to discover a unique filename, which might allow remote authenticated users to cause a denial of service via a STOU command...

4CVSS6.6AI score0.01156EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•7 views

PYSEC-2010-21

FTPServer.py in pyftpdlib before 0.2.0 does not increment the attemptedlogins count for a USER command that specifies an invalid username, which makes it easier for remote attackers to obtain access via a brute-force attack...

7.5CVSS6.9AI score0.01354EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•6 views

PYSEC-2010-20

Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.2.0 allow remote authenticated users to access arbitrary files and directories via a .. dot dot in a 1 LIST, 2 STOR, or 3 RETR command...

6.5CVSS7.1AI score0.0126EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•6 views

PYSEC-2010-27

Race condition in ZEO/StorageServer.py in Zope Object Database ZODB before 3.10.0 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpect...

5CVSS7AI score0.03627EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•5 views

PYSEC-2010-23

FTPServer.py in pyftpdlib before 0.2.0 allows remote attackers to cause a denial of service via a long command...

5CVSS6.8AI score0.01447EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•6 views

PYSEC-2010-22

pyftpdlib before 0.1.1 does not choose a random value for the port associated with the PASV command, which makes it easier for remote attackers to obtain potentially sensitive information about the number of in-progress data connections by reading the response to this command...

5CVSS6.6AI score0.01127EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•7 views

PYSEC-2010-25

The ftpPORT function in FTPServer.py in pyftpdlib before 0.2.0 does not prevent TCP connections to privileged ports if the destination IP address matches the source IP address of the connection from the FTP client, which might allow remote authenticated users to conduct FTP bounce attacks via...

7.5CVSS6.8AI score0.01959EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•6 views

PYSEC-2010-11

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or ...

5CVSS7AI score0.03627EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•8 views

PYSEC-2010-7

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different...

4.3CVSS7AI score0.01582EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•5 views

PYSEC-2010-6

The ftpQUIT function in ftpserver.py in pyftpdlib before 0.5.0 allows remote authenticated users to cause a denial of service file descriptor exhaustion and daemon outage by sending a QUIT command during a disallowed data-transfer attempt...

4CVSS6.8AI score0.01375EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•5 views

PYSEC-2010-5

ftpserver.py in pyftpdlib before 0.5.0 does not delay its response after receiving an invalid login attempt, which makes it easier for remote attackers to obtain access via a brute-force attack...

7.5CVSS6.8AI score0.0156EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•8 views

PYSEC-2010-4

Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.3.0 allow remote authenticated users to access arbitrary files and directories via vectors involving a symlink in a pathname to a 1 CWD, 2 DELE, 3 STOR, or 4 RETR command...

6.5CVSS7.1AI score0.01412EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•6 views

PYSEC-2010-9

ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session...

4CVSS6.8AI score0.01031EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2010/09/24 7:0 p.m.•6 views

PYSEC-2010-31

Cross-site scripting XSS vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program...

4.3CVSS6AI score0.0253EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2010/09/14 7:0 p.m.•7 views

PYSEC-2010-12

Cross-site scripting XSS vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken aka csrftoken cookie...

4.3CVSS6AI score0.019EPSS
Exploits0References7Affected Software1
Total number of security vulnerabilities5613