Lucene search
K

4602 matches found

PyPA
PyPA
•added 2017/06/13 4:29 p.m.•6 views

PYSEC-2017-96

The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service runtime exception and process crash...

7.5CVSS6.9AI score0.03204EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/06/08 6:29 p.m.•7 views

PYSEC-2017-2

The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands...

8.8CVSS7.4AI score0.02498EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/06/07 8:29 p.m.•8 views

PYSEC-2017-3

The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack...

7.8CVSS6.6AI score0.00443EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/06/06 9:29 p.m.•9 views

PYSEC-2017-91

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name...

9CVSS7.3AI score0.21512EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2017/05/26 10:29 a.m.•6 views

PYSEC-2017-112

An issue was discovered in Exiv2 0.26. When the data structure of the structure ifd is incorrect, the program assigns pValue to 0x0, and the value of pValue is 0x0. TiffImageEntry::doWriteImage will use the value of pValue to cause a segmentation fault. To exploit this vulnerability, someone must...

6.5CVSS6.8AI score0.02645EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/04/30 5:59 p.m.•6 views

PYSEC-2017-101

Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpccalldestroy function in core/lib/surface/call.c...

9.8CVSS7.2AI score0.02465EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2017/04/30 3:59 p.m.•6 views

PYSEC-2017-102

Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method...

8.1CVSS7.1AI score0.02016EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2017/04/25 5:59 p.m.•5 views

PYSEC-2017-82

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions clients...

7.8CVSS6.7AI score0.00431EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2017/04/24 6:59 p.m.•7 views

PYSEC-2017-92

Heap-based buffer overflow in the j2kencodeentry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service memory corruption via a crafted Jpeg2000 file...

5.5CVSS7.2AI score0.02561EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/04/13 2:59 p.m.•5 views

PYSEC-2017-30

modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp...

5.3CVSS7AI score0.00426EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/04/13 2:59 p.m.•4 views

PYSEC-2017-29

modules/serverdensitydevice.py in SaltStack before 2014.7.4 does not properly handle files in /tmp...

5.3CVSS7AI score0.00428EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/04/12 10:59 p.m.•5 views

PYSEC-2017-21

OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions...

7.5CVSS7AI score0.0291EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/04/04 5:59 p.m.•6 views

PYSEC-2017-9

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects namely django.utils.http.issafeurl considered some numeric URLs "safe" when they shouldn't be, aka an open...

6.1CVSS6.2AI score0.02384EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2017/04/04 5:59 p.m.•5 views

PYSEC-2017-10

A maliciously crafted URL to a Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 site using the django.views.static.serve view could redirect to any other domain, aka an open redirect vulnerability...

6.1CVSS6.7AI score0.0183EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2017/04/04 5:59 p.m.•5 views

PYSEC-2017-97

fileopen in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242...

5.3CVSS6.8AI score0.01819EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/03/29 2:59 p.m.•6 views

PYSEC-2017-143

The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision...

5.5CVSS6.9AI score0.01176EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2017/03/27 5:59 p.m.•8 views

PYSEC-2017-8

HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digestsize...

7.5CVSS6.9AI score0.03399EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2017/03/27 3:59 p.m.•5 views

PYSEC-2017-99

Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."...

4.3CVSS6.8AI score0.06665EPSS
Exploits5References6Affected Software1
PyPA
PyPA
•added 2017/03/27 3:59 p.m.•8 views

PYSEC-2017-100

Cross-site scripting XSS vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist...

5.4CVSS5.9AI score0.00847EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/03/24 2:59 p.m.•5 views

PYSEC-2017-25

XML External Entity XXE vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response...

7.5CVSS7AI score0.0386EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2017/03/23 4:59 p.m.•8 views

PYSEC-2017-81

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method...

4.3CVSS6.8AI score0.01321EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/03/23 4:59 a.m.•5 views

PYSEC-2017-7

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0...

8.8CVSS7.2AI score0.01535EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/03/16 9:59 p.m.•7 views

PYSEC-2017-113

Integer overflow in the cswinkernelmalloc function in winkernelmm.c in Capstone 3.0.4 and earlier allows attackers to cause a denial of service heap-based buffer overflow in a kernel driver or possibly have unspecified other impact via a large value...

8.8CVSS7.7AI score0.01245EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/03/15 3:59 p.m.•7 views

PYSEC-2017-42

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests...

5.3CVSS7AI score0.02287EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2017/03/09 8:59 p.m.•5 views

PYSEC-2017-86

There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field...

6.1CVSS6.3AI score0.00693EPSS
Exploits2References3Affected Software1
PyPA
PyPA
•added 2017/03/07 4:59 p.m.•6 views

PYSEC-2017-61

Cross-site scripting XSS vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL...

6.1CVSS6AI score0.01596EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/03/07 4:59 p.m.•10 views

PYSEC-2017-63

Multiple cross-site scripting XSS vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

6.1CVSS6AI score0.01575EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/03/07 4:59 p.m.•8 views

PYSEC-2017-59

z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting XSS attacks via a crafted GET request...

6.1CVSS6.1AI score0.01575EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/03/07 4:59 p.m.•7 views

PYSEC-2017-62

Cross-site scripting XSS vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors...

6.1CVSS6.1AI score0.01575EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/03/07 4:59 p.m.•9 views

PYSEC-2017-60

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to 1...

6.1CVSS7.1AI score0.01657EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/03/07 4:59 p.m.•6 views

PYSEC-2017-58

Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. dot dot in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions...

4.9CVSS6.9AI score0.0258EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/03/03 3:59 p.m.•6 views

PYSEC-2017-67

PySAML2 allows remote attackers to conduct XML external entity XXE attacks via a crafted SAML XML request or response...

9CVSS7.1AI score0.02133EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2017/02/24 8:59 p.m.•7 views

PYSEC-2017-55

Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors...

7.5CVSS7.2AI score0.01481EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/02/24 8:59 p.m.•8 views

PYSEC-2017-56

Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors...

5.3CVSS6.7AI score0.01115EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/02/24 8:59 p.m.•6 views

PYSEC-2017-57

Chameleon five.pt in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates...

4.9CVSS6.8AI score0.01005EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/02/22 4:59 p.m.•7 views

PYSEC-2017-14

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...

6.1CVSS6.1AI score0.02141EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2017/02/22 4:59 p.m.•10 views

PYSEC-2017-15

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...

6.1CVSS6.2AI score0.02141EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2017/02/15 7:59 p.m.•6 views

PYSEC-2017-48

Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document...

8.2CVSS6.9AI score0.01159EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/02/15 3:59 p.m.•6 views

PYSEC-2017-94

Heap-based buffer overflow in the ALGnew function in blocktemplace.c in Python Cryptography Toolkit aka pycrypto allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py...

9.8CVSS8.3AI score0.09501EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2017/02/09 8:59 p.m.•6 views

PYSEC-2017-103

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and...

5.9CVSS6.6AI score0.01263EPSS
Exploits2References8Affected Software1
PyPA
PyPA
•added 2017/02/09 8:59 p.m.•5 views

PYSEC-2017-104

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and...

5.9CVSS6.6AI score0.01263EPSS
Exploits3References7Affected Software1
PyPA
PyPA
•added 2017/02/07 5:59 p.m.•7 views

PYSEC-2017-34

Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching...

9.1CVSS6.9AI score0.02581EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/02/04 5:59 a.m.•7 views

PYSEC-2017-64

Cross-site scripting XSS vulnerability in the managefindResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the objids:tokens parameter...

6.1CVSS6.1AI score0.01575EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2017/01/31 7:59 p.m.•8 views

PYSEC-2017-33

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient...

5.6CVSS7.2AI score0.00873EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/30 10:59 p.m.•8 views

PYSEC-2017-20

Cross-site scripting XSS vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

6.1CVSS6AI score0.01452EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/01/30 10:59 p.m.•6 views

PYSEC-2017-32

The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file...

3.3CVSS6.2AI score0.00407EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/23 9:59 p.m.•8 views

PYSEC-2017-28

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys...

9.8CVSS7.1AI score0.02094EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2017/01/19 8:59 p.m.•7 views

PYSEC-2017-74

The tqdm.version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory...

7.8CVSS7.5AI score0.00438EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2017/01/11 4:59 p.m.•8 views

PYSEC-2017-98

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. Thi...

3.7CVSS6.6AI score0.00775EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2017/01/10 3:59 p.m.•6 views

PYSEC-2017-87

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK...

7.8CVSS6.8AI score0.01757EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities4602