3740 matches found
PYSEC-2009-6
Multiple cross-site scripting XSS vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via 1 an AttachFile sub-action in the errormsg function or 2 multiple vectors related to package file errors in the uploadform...
PYSEC-2009-17
The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors...
PYSEC-2009-13
MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when aclhierarchic is set to True, which might allow remote attackers to bypass intended access restrictions, a different vulnerability than CVE-2008-1937...
PYSEC-2009-12
The passwordchecker function in config/multiconfig.py in MoinMoin 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service segmentation fault and crash via unknown vectors...
PYSEC-2009-5
schema.py in FormEncode for Python python-formencode 1.0 does not apply the chainedvalidators feature, which allows attackers to bypass intended access restrictions via unknown vectors...
PYSEC-2009-11
The rst parser parser/textrst.py in MoinMoin 1.6.1 does not check the ACL of an included page, which allows attackers to read unauthorized include files via unknown vectors...
PYSEC-2009-16
Heap-based buffer overflow in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11, and GStreamer Plug-ins aka gstreamer-plugins 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample aka...
PYSEC-2009-15
Array index error in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service application crash and possibly execute arbitrary code via crafted Sync Sample aka stss atom da...
PYSEC-2009-14
Heap-based buffer overflow in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample ctts atom data in a malformed QuickTime medi...
PYSEC-2008-7
Unspecified vulnerability in the HTML sanitizer filter in Trac before 0.11.2 allows attackers to conduct phishing attacks via unknown attack vectors...
PYSEC-2008-6
Unspecified vulnerability in Trac before 0.11.2 allows attackers to cause a denial of service via unknown attack vectors related to "certain wiki markup."...
PYSEC-2008-2
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery CSRF attacks and delete or modify data via unspecified requests...
PYSEC-2008-13
Multiple cross-site scripting XSS vulnerabilities in macro/AdvancedSearch.py in moin and MoinMoin 1.6.3 and 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...
PYSEC-2008-5
Cross-site scripting XSS vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors...
PYSEC-2008-4
Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function...
PYSEC-2008-11
Exiv2 0.16 allows user-assisted remote attackers to cause a denial of service divide-by-zero and application crash via a zero value in Nikon lens information in the metadata of an image, related to "pretty printing" and the RationalValue::toLong function...
PYSEC-2008-1
Cross-site scripting XSS vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request...
PYSEC-2008-12
The user form processing userform.py in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges...
PYSEC-2008-10
The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the 1 list, 2 display, and 3 set methods...
PYSEC-2008-9
Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting XSS...
PYSEC-2008-14
Multiple cross-site request forgery CSRF vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to 1 add arbitrary accounts via the joinform page and 2 change the privileges of arbitrary groups via the prefsgroupsoverview page...
PYSEC-2008-15
Multiple cross-site request forgery CSRF vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to 1 add arbitrary accounts via the joinform page and 2 change the privileges of arbitrary groups via the prefsgroupsoverview page...
PYSEC-2008-8
common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool...
PYSEC-2008-3
Directory traversal vulnerability in the getfilepath function in 1 lib/sessions.py in CherryPy 3.0.x up to 3.0.2, 2 filter/sessionfilter.py in CherryPy 2.1, and 3 filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write...
PYSEC-2007-4
Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the 1 statusmessages or 2 linkintegrity module, which the module unpickles and executes...
PYSEC-2007-1
The internationalization i18n framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USEI18N option and the i18n component are enabled, allows remote attackers to cause a denial of service memory consumption via many HTTP requests with large...
PYSEC-2007-3
Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors...
PYSEC-2007-2
Cross-site scripting XSS vulnerability in the "download wiki page as text" feature in Trac before 0.10.3.1, when Microsoft Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters...
PYSEC-2006-10
Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous member registration is enabled, allows an attacker to "masquerade as a group."...
PYSEC-2006-6
Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous member registration is enabled, allows an attacker to "masquerade as a group."...
PYSEC-2006-3
Cross-site request forgery CSRF vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors...
PYSEC-2006-5
Unspecified vulnerability in the Password Reset Tool before 0.4.1 on Plone 2.5 and 2.5.1 Release Candidate allows attackers to reset the passwords of other users, related to "an erroneous security declaration."...
PYSEC-2006-9
Unspecified vulnerability in the Password Reset Tool before 0.4.1 on Plone 2.5 and 2.5.1 Release Candidate allows attackers to reset the passwords of other users, related to "an erroneous security declaration."...
PYSEC-2006-8
The docutils module in Zope Zope2 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText reST markup, which allows remote attackers to read arbitrary files via a csvtable directive, a different vulnerability than CVE-2006-3458...
PYSEC-2006-2
Trac before 0.9.6 does not disable the "raw" or "include" commands when providing untrusted users with restructured text reStructuredText functionality from docutils, which allows remote attackers to read arbitrary files, perform cross-site scripting XSS attacks, or cause a denial of service via...
PYSEC-2006-7
Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 Zope2 does not disable the "raw" command when providing untrusted users with restructured text reStructuredText functionality from docutils, which allows local users to read arbitrary files...
PYSEC-2006-4
Multiple heap-based buffer overflows in Libextractor 0.5.13 and earlier allow remote attackers to execute arbitrary code via 1 the asfreadheader function in the ASF plugin plugins/asfextractor.c, and 2 the parsetrakatom function in the QT plugin plugins/qtextractor.c...
PYSEC-2006-1
Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via ".." sequences in unspecified vectors...
PYSEC-2005-1
Cross-site scripting XSS vulnerability in the HTML WikiProcessor in Edgewall Trac 0.9.2 allows remote attackers to inject arbitrary web script or HTML via javascript in the SRC attribute of an IMG tag...
PYSEC-2024-55
Malicious package. Exfiltrated secrets to a target server...