Lucene search
K

4602 matches found

PyPA
PyPA
added 2014/05/16 3:55 p.m.5 views

PYSEC-2014-19

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

6.4CVSS6.7AI score0.02546EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/05/16 3:55 p.m.5 views

PYSEC-2014-20

The django.util.http.issafeurl function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."...

4.3CVSS7AI score0.03123EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2014/05/14 7:55 p.m.5 views

PYSEC-2014-9

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting XSS attacks via control characters in the link scheme to the cleanhtml function...

6.1CVSS6.1AI score0.06333EPSS
Exploits1References15Affected Software1
PyPA
PyPA
added 2014/05/08 2:29 p.m.5 views

PYSEC-2014-112

The instance rescue mode in OpenStack Compute Nova 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and usecowimages is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image...

3.5CVSS6.6AI score0.01488EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/05/05 5:6 p.m.7 views

PYSEC-2014-94

PyWBEM 0.7 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.8AI score0.00907EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/05/05 5:6 p.m.5 views

PYSEC-2014-93

PyWBEM 0.7 and earlier uses a separate connection to validate X.509 certificates, which allows man-in-the-middle attackers to spoof a peer via an arbitrary certificate...

5.8CVSS6.9AI score0.01772EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.9 views

PYSEC-2014-65

Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope...

5CVSS7AI score0.014EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-68

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.10 views

PYSEC-2014-67

Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope...

5CVSS7AI score0.014EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-66

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/05/02 1:59 a.m.6 views

PYSEC-2014-72

Transifex command-line client before 0.10 does not validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2073...

4.3CVSS7AI score0.00828EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/04/30 11:58 p.m.46 views

PYSEC-2014-98

Cross-site scripting XSS vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality...

3.5CVSS6.1AI score0.01487EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2014/04/27 8:55 p.m.8 views

PYSEC-2014-87

Python Image Library PIL 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py...

10CVSS7.9AI score0.12055EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.10 views

PYSEC-2014-1

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."...

5.1CVSS7.4AI score0.0565EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.8 views

PYSEC-2014-3

The 1 FilePathField, 2 GenericIPAddressField, and 3 IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, relate...

10CVSS7.2AI score0.04753EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.5 views

PYSEC-2014-2

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users...

5CVSS7AI score0.0199EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/04/17 2:55 p.m.6 views

PYSEC-2014-23

The 1 JpegImagePlugin.py and 2 EpsImagePlugin.py scripts in Python Image Library PIL 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes...

2.1CVSS6.6AI score0.00448EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2014/04/17 2:55 p.m.10 views

PYSEC-2014-22

The 1 loaddjpeg function in JpegImagePlugin.py, 2 Ghostscript function in EpsImagePlugin.py, 3 load function in IptcImagePlugin.py, and 4 copy function in Image.py in Python Image Library PIL 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users...

4.4CVSS6.4AI score0.00492EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2014/04/15 2:55 p.m.9 views

PYSEC-2014-106

The V3 API in OpenStack Identity Keystone 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service CPU consumption via a large number of the same authentication method in a request, aka "authentication chaining."...

7.8CVSS6.9AI score0.03155EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/04/15 2:55 p.m.7 views

PYSEC-2014-70

The authtoken middleware in the OpenStack Python client library for Keystone aka python-keystoneclient before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, relat...

6CVSS7.1AI score0.01101EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/04/11 3:55 p.m.6 views

PYSEC-2014-15

Cross-site scripting XSS vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link...

4.3CVSS6AI score0.01983EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/04/11 3:55 p.m.5 views

PYSEC-2014-16

Cross-site scripting XSS vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1...

4.3CVSS6AI score0.01983EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/04/10 8:29 p.m.5 views

PYSEC-2014-96

Cross-site scripting XSS vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter...

4.3CVSS6AI score0.01837EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/04/01 6:35 a.m.9 views

PYSEC-2014-105

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

5CVSS6.8AI score0.01367EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2014/03/25 4:55 p.m.5 views

PYSEC-2014-113

The VMWare driver in OpenStack Compute Nova 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service resource consumption by requesting the VM be put into rescue and then deleting the imag...

2.3CVSS6.7AI score0.00705EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.35 views

PYSEC-2014-59

Multiple open redirect vulnerabilities in 1 marmosetpatch.py, 2 publish.py, and 3 principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

5.8CVSS7.1AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.33 views

PYSEC-2014-61

memberportrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors...

5.5CVSS6.9AI score0.01255EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-52

traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service infinite loop and resource consumption via unspecified vectors related to "retrieving information for certain resources."...

4.3CVSS6.7AI score0.01347EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.10 views

PYSEC-2014-57

typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce the immutable setting on unspecified content edit forms, which allows remote attackers to hide fields on the forms via a crafted URL...

4.3CVSS6.9AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-60

The object manager implementation objectmanager.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request...

5CVSS6.5AI score0.0138EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-58

The WYSIWYG component wysiwyg.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message...

4.3CVSS6.6AI score0.01214EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.9 views

PYSEC-2014-54

Multiple cross-site scripting XSS vulnerabilities in 1 spamProtect.py, 2 pts.py, and 3 request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.01807EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.10 views

PYSEC-2014-55

zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive...

5.8CVSS6.6AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-56

sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to spoof emails via unspecified vectors...

4CVSS6.8AI score0.01095EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.6 views

PYSEC-2014-62

mailpassword.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality...

4CVSS7AI score0.01116EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.7 views

PYSEC-2014-63

1 cbdecode.py and 2 linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service resource consumption via a large zip archive, which is expanded decompressed...

3.5CVSS6.7AI score0.01076EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.6 views

PYSEC-2014-84

The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file...

4.4CVSS6.7AI score0.00355EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.6 views

PYSEC-2014-83

The 1 extractkeysfrompdf and 2 fillpdf functions in pdfext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf...

4.4CVSS7AI score0.00343EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-53

Multiple unspecified vulnerabilities in 1 dataitems.py, 2 get.py, and 3 traverseName.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users with administrator access to a subtree to access nodes above the subtree via unknown vectors...

6.5CVSS7AI score0.01255EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/02/18 7:55 p.m.6 views

PYSEC-2014-12

The OpenStack Python client library for Swift python-swiftclient 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

5.8CVSS6.6AI score0.00732EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/02/14 3:55 p.m.7 views

PYSEC-2014-102

OpenStack Image Registry and Delivery Service Glance 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading th...

2.6CVSS6.5AI score0.00314EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/02/08 12:55 a.m.6 views

PYSEC-2014-88

python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate...

4.3CVSS6.8AI score0.00888EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/02/06 5:0 p.m.6 views

PYSEC-2014-111

The icreateimagesandbacking aka createimagesandbacking method in libvirt driver in OpenStack Compute Nova Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users vi...

7.1CVSS6.9AI score0.02159EPSS
Exploits0References13Affected Software1
PyPA
PyPA
added 2014/01/28 12:55 a.m.8 views

PYSEC-2014-117

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS5.8AI score0.00351EPSS
Exploits0References7
PyPA
PyPA
added 2014/01/28 12:55 a.m.7 views

PYSEC-2014-17

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS6.6AI score0.00351EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/01/28 12:55 a.m.8 views

PYSEC-2014-95

Race condition in the xdg.BaseDirectory.getruntimedir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once th...

3.3CVSS6.7AI score0.00315EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2014/01/23 1:55 a.m.6 views

PYSEC-2014-116

The TempURL middleware in OpenStack Object Storage Swift 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack...

4.3CVSS6.9AI score0.01895EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2014/01/21 6:55 p.m.6 views

PYSEC-2014-69

python-keystoneclient before 0.2.4, as used in OpenStack Keystone Folsom, does not properly check expiry for PKI tokens, which allows remote authenticated users to 1 retain use of a token after it has expired, or 2 use a revoked token once it expires...

5.5CVSS6.8AI score0.02064EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2014/01/21 4:6 p.m.7 views

PYSEC-2014-64

The isURLInPortal method in the URLTool class in inportal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allowexternalloginsites filtering property, redirect users to...

5.8CVSS6.9AI score0.02264EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2014/01/18 9:55 p.m.5 views

PYSEC-2014-81

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary...

2.6CVSS6.9AI score0.01324EPSS
Exploits1References7Affected Software1
Total number of security vulnerabilities4602