3740 matches found
PYSEC-2011-11
Cross-site scripting XSS vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload...
PYSEC-2011-10
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged AJAX requests that leverage a "combination of browser plugins...
PYSEC-2011-12
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / slash character in a key in a session cookie, related to session replays...
PYSEC-2011-13
Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors...
PYSEC-2011-28
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series...
PYSEC-2011-29
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service resource consumption via a URL that...
PYSEC-2011-9
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service resource consumption via a URL that...
PYSEC-2011-8
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series...
PYSEC-2010-29
Multiple cross-site scripting XSS vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to 1 paste.urlparser.StaticURLParser, 2...
PYSEC-2010-25
The ftpPORT function in FTPServer.py in pyftpdlib before 0.2.0 does not prevent TCP connections to privileged ports if the destination IP address matches the source IP address of the connection from the FTP client, which might allow remote authenticated users to conduct FTP bounce attacks via...
PYSEC-2010-24
The ftpSTOU function in FTPServer.py in pyftpdlib before 0.2.0 does not limit the number of attempts to discover a unique filename, which might allow remote authenticated users to cause a denial of service via a STOU command...
PYSEC-2010-5
ftpserver.py in pyftpdlib before 0.5.0 does not delay its response after receiving an invalid login attempt, which makes it easier for remote attackers to obtain access via a brute-force attack...
PYSEC-2010-7
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different...
PYSEC-2010-23
FTPServer.py in pyftpdlib before 0.2.0 allows remote attackers to cause a denial of service via a long command...
PYSEC-2010-20
Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.2.0 allow remote authenticated users to access arbitrary files and directories via a .. dot dot in a 1 LIST, 2 STOR, or 3 RETR command...
PYSEC-2010-10
Memory leak in the ondtpclose function in ftpserver.py in pyftpdlib before 0.5.2 allows remote authenticated users to cause a denial of service memory consumption by sending a QUIT command during a data transfer...
PYSEC-2010-22
pyftpdlib before 0.1.1 does not choose a random value for the port associated with the PASV command, which makes it easier for remote attackers to obtain potentially sensitive information about the number of in-progress data connections by reading the response to this command...
PYSEC-2010-21
FTPServer.py in pyftpdlib before 0.2.0 does not increment the attemptedlogins count for a USER command that specifies an invalid username, which makes it easier for remote attackers to obtain access via a brute-force attack...
PYSEC-2010-9
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session...
PYSEC-2010-4
Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.3.0 allow remote authenticated users to access arbitrary files and directories via vectors involving a symlink in a pathname to a 1 CWD, 2 DELE, 3 STOR, or 4 RETR command...
PYSEC-2010-11
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or ...
PYSEC-2010-8
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the getpeername function having an ENOTCONN error, a different vulnerabilit...
PYSEC-2010-6
The ftpQUIT function in ftpserver.py in pyftpdlib before 0.5.0 allows remote authenticated users to cause a denial of service file descriptor exhaustion and daemon outage by sending a QUIT command during a disallowed data-transfer attempt...
PYSEC-2010-27
Race condition in ZEO/StorageServer.py in Zope Object Database ZODB before 3.10.0 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpect...
PYSEC-2010-31
Cross-site scripting XSS vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program...
PYSEC-2010-12
Cross-site scripting XSS vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken aka csrftoken cookie...
PYSEC-2010-33
ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service crash of worker threads via vectors that trigger uncaught exceptions...
PYSEC-2010-32
ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service crash of worker threads via vectors that trigger uncaught exceptions...
PYSEC-2010-18
Multiple cross-site scripting XSS vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to 1 action/SlideShow.py, 2 action/anywikidraw.py, and 3 action/languagesetup.py, a similar issue to CVE-2010-2487...
PYSEC-2010-17
Multiple cross-site scripting XSS vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to 1 action/LikePages.py, 2 action/chart.py, and 3 action/userprofile.py, a similar issue to...
PYSEC-2010-16
Multiple cross-site scripting XSS vulnerabilities in MoinMoin 1.7.3 and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to 1 Page.py, 2 PageEditor.py, 3 PageGraphicalEditor.py, 4 action/CopyPage.py, 5...
PYSEC-2010-26
Dan Pascu python-cjson 1.0.5 does not properly handle a '/' argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting XSS attacks involving Firefox and the end tag of a SCRIPT element...
PYSEC-2010-1
Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting XSS protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element...
PYSEC-2010-30
Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service application crash or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function...
PYSEC-2010-19
Cross-site scripting XSS vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safehtml transform...
PYSEC-2010-28
Cross-site scripting XSS vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI...
PYSEC-2010-13
MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs in certain inappropriate circumstances during processing of hierarchical ACLs, which allows remote attackers to bypass intended access restrictions by requesting an item, a different vulnerability than CVE-2008-6603...
PYSEC-2010-15
Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x before 1.8.7, and 1.9.x before 1.9.2 has unknown impact and attack vectors, related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured...
PYSEC-2010-3
The default configuration of cfg.packagepagesactionsexcluded in MoinMoin before 1.8.7 does not prevent unsafe package actions, which has unspecified impact and attack vectors...
PYSEC-2010-2
MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly sanitize user profiles, which has unspecified impact and attack vectors...
PYSEC-2010-14
MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAYINTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors...
PYSEC-2009-7
Multiple unspecified vulnerabilities in Trac before 0.11.6 have unknown impact and attack vectors, possibly related to 1 "policy checks in report results when using alternate formats" or 2 a "check for the 'raw' role that is missing in docutils 0.6."...
PYSEC-2009-18
The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings...
PYSEC-2009-4
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service CPU consumption via a crafted 1 EmailField email address or 2 URLField URL that triggers a large amount of backtracking in a regular...
PYSEC-2009-10
Unspecified vulnerability in the Zope Enterprise Objects ZEO storage-server functionality in Zope Object Database ZODB 3.8 before 3.8.3 and 3.9.x before 3.9.0c2, when certain ZEO database sharing and blob support are enabled, allows remote authenticated users to read or delete arbitrary files via...
PYSEC-2009-2
Multiple cross-site scripting XSS vulnerabilities in Buildbot 0.7.6 through 0.7.11p2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, different vulnerabilities than CVE-2009-2959...
PYSEC-2009-1
Cross-site scripting XSS vulnerability in the waterfall web status view status/web/waterfall.py in Buildbot 0.7.6 through 0.7.11p1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
PYSEC-2009-9
Zope Object Database ZODB before 3.8.2, when certain Zope Enterprise Objects ZEO database sharing is enabled, allows remote attackers to bypass authentication via vectors involving the ZEO network protocol...
PYSEC-2009-8
Unspecified vulnerability in Zope Object Database ZODB before 3.8.2, when certain Zope Enterprise Objects ZEO database sharing is enabled, allows remote attackers to execute arbitrary Python code via vectors involving the ZEO network protocol...
PYSEC-2009-3
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL...