U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Python
  • Search Type: Search All
  • CPE Name Search: false
There are 845 matching records.
Displaying matches 681 through 700.
Vuln ID Summary CVSS Severity
CVE-2011-4104

The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

Published: October 26, 2014; 9:55:23 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2011-4103

emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.

Published: October 26, 2014; 9:55:23 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-1929

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: October 25, 2014; 5:55:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.4 MEDIUM
CVE-2014-1928

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: October 25, 2014; 5:55:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.6 MEDIUM
CVE-2014-1927

The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: October 25, 2014; 5:55:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-3593

Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration.

Published: October 15, 2014; 10:55:06 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 6.0 MEDIUM
CVE-2014-1830

Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.

Published: October 15, 2014; 10:55:05 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-1829

Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.

Published: October 15, 2014; 10:55:05 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.

Published: October 08, 2014; 1:55:05 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2014-7144

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

Published: October 02, 2014; 10:55:04 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-5506

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.

Published: September 30, 2014; 10:55:06 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-5499

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.

Published: September 30, 2014; 10:55:06 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-5495

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

Published: September 30, 2014; 10:55:06 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-5494

Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."

Published: September 30, 2014; 10:55:06 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-5493

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.

Published: September 30, 2014; 10:55:06 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 8.5 HIGH
CVE-2012-5488

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

Published: September 30, 2014; 10:55:05 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-5487

The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

Published: September 30, 2014; 10:55:05 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 8.5 HIGH
CVE-2012-5485

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

Published: September 30, 2014; 10:55:05 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-5340

The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.

Published: September 02, 2014; 10:55:03 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2014-0485

S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

Published: September 02, 2014; 10:55:03 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH