Lucene search
K

4602 matches found

PyPA
PyPA
•added 2017/01/10 3:59 p.m.•5 views

PYSEC-2017-93

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority informati...

7.5CVSS6.6AI score0.01792EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/12/23 10:59 p.m.•5 views

PYSEC-2016-39

An exploitable out-of-bounds array access vulnerability exists in the xrowheaderdecode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's valu...

7.8CVSS6.8AI score0.03675EPSS
Exploits2References4Affected Software1
PyPA
PyPA
•added 2016/12/21 10:59 p.m.•7 views

PYSEC-2016-21

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted document...

8.8CVSS7AI score0.02354EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/12/16 9:59 a.m.•6 views

PYSEC-2016-24

redirect in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect"233\r\nSet-Cookie: name=salt" call...

6.5CVSS6.9AI score0.01761EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/12/09 8:59 p.m.•6 views

PYSEC-2016-18

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...

8.1CVSS7AI score0.06074EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/12/09 8:59 p.m.•4 views

PYSEC-2016-17

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually...

9.8CVSS6.9AI score0.05144EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/11/10 5:59 p.m.•7 views

PYSEC-2016-31

MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation" approach, related to a "Cross Site Scripting XSS" issue affecting the action=AttachFile via page name component...

6.1CVSS6.5AI score0.01186EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2016/11/10 5:59 p.m.•7 views

PYSEC-2016-30

MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation or crafted URL" approach, related to a "Cross Site Scripting XSS" issue affecting the action=fckdialog=attachment via page name component...

6.1CVSS6.5AI score0.01186EPSS
Exploits3References5Affected Software1
PyPA
PyPA
•added 2016/11/04 10:59 a.m.•7 views

PYSEC-2016-9

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component...

7.8CVSS7.9AI score0.02026EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2016/11/04 10:59 a.m.•5 views

PYSEC-2016-8

Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.mapbuffer in map.c component...

5.5CVSS6.5AI score0.01861EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2016/10/07 6:59 p.m.•8 views

PYSEC-2016-25

flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect...

7.4CVSS6.9AI score0.00795EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2016/10/03 6:59 p.m.•6 views

PYSEC-2016-3

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies...

7.5CVSS7.2AI score0.0613EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2016/09/26 4:59 p.m.•6 views

PYSEC-2016-22

OpenStack Murano before 1.0.3 liberty and 2.x before 2.0.1 mitaka, Murano-dashboard before 1.0.3 liberty and 2.x before 2.0.1 mitaka, and python-muranoclient before 0.7.3 liberty and 0.8.x before 0.8.5 mitaka improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files,...

9.8CVSS8AI score0.03166EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•7 views

PYSEC-2016-40

Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors...

5.3CVSS7AI score0.01587EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•5 views

PYSEC-2016-12

Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors...

5.3CVSS7AI score0.01587EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•6 views

PYSEC-2016-13

fileopen in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors...

4.4CVSS6.9AI score0.01819EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/09/07 7:28 p.m.•5 views

PYSEC-2016-41

fileopen in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors...

4.4CVSS6.9AI score0.01819EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/09/01 11:59 p.m.•6 views

PYSEC-2016-4

The Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack MMA...

5.3CVSS6.8AI score0.02226EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2016/08/05 3:59 p.m.•9 views

PYSEC-2016-2

Cross-site scripting XSS vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors...

6.1CVSS6AI score0.05536EPSS
Exploits6References18Affected Software1
PyPA
PyPA
•added 2016/06/13 2:59 p.m.•7 views

PYSEC-2016-38

The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...

4.3CVSS6.8AI score0.01402EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/06/03 2:59 p.m.•8 views

PYSEC-2016-1

The createscript function in the lxccontainer module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on 1 /opt/.lxc-attach-script, 2 the archived container in the archivepath directory, or the 3...

7.8CVSS7.1AI score0.00468EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2016/05/09 8:59 p.m.•9 views

PYSEC-2016-28

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name...

8.8CVSS7.8AI score0.02655EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2016/04/15 5:59 p.m.•7 views

PYSEC-2016-34

The TripleO Heat templates tripleo-heat-templates do not properly order the Identity Service keystone before the OpenStack Object Storage Swift staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive...

7.5CVSS6.6AI score0.02415EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•8 views

PYSEC-2016-26

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository...

8.8CVSS7.9AI score0.05405EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•7 views

PYSEC-2016-7

Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow...

10CVSS7.8AI score0.07871EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•7 views

PYSEC-2016-29

The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a 1 clone, 2 push, or 3 pull command, related to a a list sizing rounding error and b short records...

8.8CVSS8AI score0.04832EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•5 views

PYSEC-2016-27

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository...

8.8CVSS7.9AI score0.04953EPSS
Exploits0References18Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•4 views

PYSEC-2016-5

Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file...

6.5CVSS7.2AI score0.0236EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•6 views

PYSEC-2016-19

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library PIL 1.1.7 and earlier allows remote attackers to cause a denial of service crash via a crafted PhotoCD file...

6.5CVSS7AI score0.03998EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2016/04/13 4:59 p.m.•6 views

PYSEC-2016-6

Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service crash via a crafted FLI file...

6.5CVSS7AI score0.02689EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2016/04/13 3:59 p.m.•8 views

PYSEC-2016-11

model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records...

4.3CVSS7AI score0.0115EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2016/04/13 2:59 p.m.•5 views

PYSEC-2016-33

schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details...

4.3CVSS6.5AI score0.01535EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/04/12 2:59 p.m.•6 views

PYSEC-2016-23

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream...

8.1CVSS7.9AI score0.01516EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/04/11 9:59 p.m.•6 views

PYSEC-2016-35

The TripleO Heat templates tripleo-heat-templates, when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter...

7.5CVSS7AI score0.01651EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2016/04/08 3:59 p.m.•8 views

PYSEC-2016-16

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests...

3.1CVSS7AI score0.03317EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2016/04/08 3:59 p.m.•7 views

PYSEC-2016-15

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

7.4CVSS6.3AI score0.04035EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2016/02/08 7:59 p.m.•6 views

PYSEC-2016-14

Django 1.9.x before 1.9.2, when ModelAdmin.saveas is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission...

6CVSS6.9AI score0.01522EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2016/02/03 6:59 p.m.•6 views

PYSEC-2016-36

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name...

10CVSS7AI score0.02945EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2016/02/03 6:59 p.m.•8 views

PYSEC-2016-37

Radicale before 1.1 allows remote authenticated users to bypass ownerwrite and owneronly limitations via regex metacharacters in the user name, as demonstrated by "."...

5.3CVSS6.8AI score0.02219EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2016/02/03 6:59 p.m.•5 views

PYSEC-2016-20

The identity service in OpenStack Identity Keystone before 2015.1.3 Kilo and 8.0.x before 8.0.2 Liberty and keystonemiddleware formerly python-keystoneclient before 1.5.4 Kilo and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers,...

7.5CVSS6.9AI score0.01708EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2016/01/13 3:59 p.m.•6 views

PYSEC-2016-10

The verify function in the RSA package for Python Python-RSA before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack...

5.3CVSS6.8AI score0.07054EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2016/01/08 8:59 p.m.•6 views

PYSEC-2016-32

The FontManager.getnixfontpath function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name...

9.3CVSS7.8AI score0.06664EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2015/12/07 8:59 p.m.•5 views

PYSEC-2015-11

The getformat function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRETKEY...

5CVSS6.8AI score0.04284EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2015/11/25 8:59 p.m.•7 views

PYSEC-2015-28

OpenStack Ironic Inspector aka ironic-inspector or ironic-discoverd, when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error...

6.8CVSS7.8AI score0.01585EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2015/11/17 3:59 p.m.•7 views

PYSEC-2015-41

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider SP owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name...

4CVSS6.7AI score0.013EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2015/11/17 3:59 p.m.•6 views

PYSEC-2015-42

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...

5.5CVSS6.6AI score0.01493EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2015/10/29 8:59 p.m.•6 views

PYSEC-2015-13

CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the camefrom parameter to admin/login...

5CVSS7.6AI score0.06039EPSS
Exploits6References5Affected Software1
PyPA
PyPA
•added 2015/09/29 7:59 p.m.•5 views

PYSEC-2015-25

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types...

6.8CVSS7.6AI score0.01685EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2015/09/29 7:59 p.m.•7 views

PYSEC-2015-27

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types...

6.8CVSS7.6AI score0.01685EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2015/09/21 7:59 p.m.•6 views

PYSEC-2015-26

Cross-site scripting XSS vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site reque...

4.3CVSS6AI score0.02768EPSS
Exploits1References10Affected Software1
Total number of security vulnerabilities4602