National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): python
  • Search Type: Search All
There are 358 matching records.
Displaying matches 241 through 260.
Vuln ID Summary CVSS Severity
CVE-2011-4030

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

Published: October 10, 2011; 06:55:06 AM -04:00
V2: 9.3 HIGH
CVE-2011-3587

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

Published: October 10, 2011; 06:55:06 AM -04:00
V2: 9.3 HIGH
CVE-2011-2520

fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.

Published: July 21, 2011; 07:55:03 PM -04:00
V2: 6.0 MEDIUM
CVE-2011-1521

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

Published: May 24, 2011; 07:55:02 PM -04:00
V2: 6.4 MEDIUM
CVE-2011-1015

The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.

Published: May 09, 2011; 06:55:01 PM -04:00
V2: 5.0 MEDIUM
CVE-2011-1158

Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI.

Published: April 11, 2011; 02:55:03 PM -04:00
V2: 4.3 MEDIUM
CVE-2011-1157

Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments.

Published: April 11, 2011; 02:55:03 PM -04:00
V2: 4.3 MEDIUM
CVE-2011-1156

feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration.

Published: April 11, 2011; 02:55:03 PM -04:00
V2: 5.0 MEDIUM
CVE-2009-5065

Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0 allows remote attackers to inject arbitrary web script or HTML via vectors involving nested CDATA stanzas.

Published: April 11, 2011; 02:55:01 PM -04:00
V2: 4.3 MEDIUM
CVE-2011-0707

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.

Published: February 22, 2011; 02:00:02 PM -05:00
V2: 4.3 MEDIUM
CVE-2010-2235

template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.

Published: December 09, 2010; 03:00:17 PM -05:00
V2: 8.5 HIGH
CVE-2010-3495

Race condition in ZEO/StorageServer.py in Zope Object Database (ZODB) before 3.10.0 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.

Published: October 19, 2010; 04:00:04 PM -04:00
V2: 4.3 MEDIUM
CVE-2010-3494

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.

Published: October 19, 2010; 04:00:04 PM -04:00
V2: 4.3 MEDIUM
CVE-2010-3493

Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.

Published: October 19, 2010; 04:00:04 PM -04:00
V2: 4.3 MEDIUM
CVE-2010-3492

The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.

Published: October 19, 2010; 04:00:04 PM -04:00
V2: 5.0 MEDIUM
CVE-2009-5010

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different vulnerability than CVE-2010-3494.

Published: October 19, 2010; 04:00:02 PM -04:00
V2: 4.3 MEDIUM
CVE-2010-3089

Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field.

Published: September 15, 2010; 04:00:02 PM -04:00
V2: 3.5 LOW
CVE-2009-4924

Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting (XSS) attacks involving Firefox and the end tag of a SCRIPT element.

Published: July 02, 2010; 03:30:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2010-2480

Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element.

Published: July 02, 2010; 03:00:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2010-1666

Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function.

Published: July 02, 2010; 03:00:00 PM -04:00
V2: 6.8 MEDIUM