Lucene search
K

7035 matches found

PyPA
PyPA
•added 2015/03/31 2:59 p.m.•5 views

PYSEC-2015-14

The validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command...

7.5CVSS7.7AI score0.04169EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2015/03/31 2:59 p.m.•7 views

PYSEC-2015-35

Buffer overflow in the C implementation of the applydelta function in pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file...

7.5CVSS8.2AI score0.03351EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2015/03/25 2:59 p.m.•5 views

PYSEC-2015-9

The utils.http.issafeurl function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting XSS attacks via a control character in a URL, as demonstrated by a...

4.3CVSS6.1AI score0.0499EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2015/03/25 2:59 p.m.•7 views

PYSEC-2015-18

The utils.html.striptags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service infinite loop by increasing the length of the input string...

5CVSS6.8AI score0.0496EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2015/03/18 4:59 p.m.•6 views

PYSEC-2015-17

The resolveredirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect...

6.8CVSS5.6AI score0.03408EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2015/03/12 2:59 p.m.•4 views

PYSEC-2015-8

Cross-site scripting XSS vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonlyfields, as demonstrated by a @property...

4.3CVSS6AI score0.02052EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2015/02/24 3:59 p.m.•8 views

PYSEC-2015-38

OpenStack Image Registry and Delivery Service Glance 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service disk consumption by creating a large number of images using the task v2 API and then deleting them, a different...

4CVSS6.8AI score0.02101EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2015/02/24 3:59 p.m.•9 views

PYSEC-2015-37

OpenStack Image Registry and Delivery Service Glance 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service disk consumption by creating a large number of images using the task v2 API and then deleting them before the uploads...

4CVSS6.8AI score0.02101EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2015/02/16 3:59 p.m.•8 views

PYSEC-2015-29

RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the getrepo API method...

4CVSS6.6AI score0.01207EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2015/02/16 3:59 p.m.•10 views

PYSEC-2015-33

RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the 1 updaterepo, 2 getlocks, or 3 getusergroups API method...

4CVSS6.6AI score0.00947EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2015/02/16 3:59 p.m.•8 views

PYSEC-2015-32

RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the getrepo API method...

4CVSS6.6AI score0.01207EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•5 views

PYSEC-2015-6

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service memory consumption via a long line in a file...

5CVSS6.8AI score0.04334EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•8 views

PYSEC-2015-7

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when showhiddeninitial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries...

5CVSS7.4AI score0.0269EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•6 views

PYSEC-2015-5

The django.util.http.issafeurl function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting XSS attacks via a crafted URL, related to redirect URLs, as demonstrated by a...

4.3CVSS6AI score0.03028EPSS
Exploits1References13Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•8 views

PYSEC-2015-4

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an underscore character instead of a - dash character in an HTTP header, as demonstrated by an X-AuthUser header...

5CVSS7AI score0.06783EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2015/01/16 4:59 p.m.•7 views

PYSEC-2015-16

Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed...

5CVSS6.8AI score0.05426EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2015/01/02 8:59 p.m.•9 views

PYSEC-2015-36

Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp in Exiv2 0.24 allows remote attackers to cause a denial of service crash via a long IKEY INFO tag value in an AVI file...

5CVSS7.1AI score0.03654EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/11/24 3:59 p.m.•5 views

PYSEC-2014-11

pip 1.3 through 1.5.6 allows local users to cause a denial of service prevention of package installation by creating a /tmp/pip-build- file for another user...

2.1CVSS6.4AI score0.00393EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/11/19 6:59 p.m.•4 views

PYSEC-2014-101

FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind...

3.5CVSS7.3AI score0.01787EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/11/19 6:59 p.m.•5 views

PYSEC-2014-104

FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind...

3.5CVSS7.3AI score0.01787EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/11/17 4:59 p.m.•8 views

PYSEC-2014-80

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to...

5CVSS7AI score0.01867EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2014/11/03 10:55 p.m.•7 views

PYSEC-2014-42

The batch id change script renameObjectsByPaths.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request...

4.3CVSS6.8AI score0.01087EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/11/03 10:55 p.m.•6 views

PYSEC-2014-76

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator PRNG, which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability...

5CVSS6.9AI score0.02337EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2014/11/03 10:55 p.m.•5 views

PYSEC-2014-51

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator PRNG, which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability...

5CVSS6.9AI score0.02337EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2014/11/03 10:55 p.m.•13 views

PYSEC-2014-50

The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remote attackers to obtain random numbers and derive the PRNG state for password resets via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6661 was assigned for the PRNG...

5CVSS7.4AI score0.02337EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2014/10/27 1:55 a.m.•7 views

PYSEC-2014-25

The fromyaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method...

7.5CVSS7.8AI score0.02409EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/10/27 1:55 a.m.•6 views

PYSEC-2014-24

emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method...

7.5CVSS7.8AI score0.02409EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/10/25 10:55 p.m.•8 views

PYSEC-2014-77

Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; semi-colon and a Content-Type that would not be accepted, as...

6.8CVSS7.5AI score0.03101EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/10/25 9:55 p.m.•7 views

PYSEC-2014-92

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323...

7.5CVSS7.5AI score0.02851EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2014/10/25 9:55 p.m.•7 views

PYSEC-2014-90

The shellquote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$" command-substitution sequences, a different vulnerability than CVE-2014-1928...

7.5CVSS8.1AI score0.03388EPSS
Exploits5References8Affected Software1
PyPA
PyPA
•added 2014/10/25 9:55 p.m.•7 views

PYSEC-2014-91

The shellquote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" backslash characters to form multi-command sequences, a different...

7.5CVSS8.1AI score0.03388EPSS
Exploits5References8Affected Software1
PyPA
PyPA
•added 2014/10/15 2:55 p.m.•6 views

PYSEC-2014-14

Requests aka python-requests before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request...

5CVSS6.6AI score0.02036EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/10/15 2:55 p.m.•7 views

PYSEC-2014-13

Requests aka python-requests before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request...

5CVSS7.1AI score0.022EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/10/02 2:55 p.m.•8 views

PYSEC-2014-71

OpenStack keystonemiddleware formerly python-keystoneclient 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration paste.ini file regardless of the value, which allows remote attackers to conduct man-in-the-middle...

4.3CVSS6.8AI score0.01948EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2014/10/02 2:55 p.m.•5 views

PYSEC-2014-26

OpenStack keystonemiddleware formerly python-keystoneclient 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration paste.ini file regardless of the value, which allows remote attackers to conduct man-in-the-middle...

4.3CVSS6.8AI score0.01948EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•5 views

PYSEC-2014-39

membershiptool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL...

5CVSS6.8AI score0.02118EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•8 views

PYSEC-2014-31

The App.Undo.UndoSupport.getrequestvarorattr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors...

6.5CVSS7.1AI score0.01272EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-41

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service memory consumption via a large value, related to formatColumns...

5CVSS6.8AI score0.02427EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-73

ZPublisher.HTTPRequest.scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed LF character...

6.4CVSS7.1AI score0.02479EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-35

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors...

8.5CVSS7.7AI score0.01695EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•12 views

PYSEC-2014-45

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors...

5CVSS6.9AI score0.014EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-40

queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection...

5CVSS6.8AI score0.02641EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-30

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject...

5CVSS7.4AI score0.02589EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-29

The sandbox whitelisting function allowmodule.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing...

8.5CVSS7.7AI score0.01695EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-33

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id...

4.3CVSS6.9AI score0.01231EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•9 views

PYSEC-2014-48

pythonscripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service infinite loop via an RSS feed request for a folder the user does not have permission to access...

5CVSS6.7AI score0.01604EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-34

uidcatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL...

5CVSS6.8AI score0.014EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•6 views

PYSEC-2014-27

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface...

6.8CVSS7.5AI score0.02066EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•7 views

PYSEC-2014-28

ZPublisher.HTTPRequest.scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed LF character...

6.4CVSS7.1AI score0.02479EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2014/09/30 2:55 p.m.•10 views

PYSEC-2014-46

Cross-site scripting XSS vulnerability in widgettraversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.01187EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities7035