National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): python
  • Search Type: Search All
There are 358 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2015-4706

Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path.

Published: September 21, 2017; 10:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2015-4707

Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path.

Published: September 20, 2017; 02:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2015-5607

Cross-site request forgery in the REST API in IPython 2 and 3.

Published: September 20, 2017; 12:29:00 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2017-14483

flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command.

Published: September 15, 2017; 06:29:00 AM -04:00
V3: 5.5 MEDIUM
V2: 4.9 MEDIUM
CVE-2017-2809

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.

Published: September 14, 2017; 03:29:00 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2017-1002150

python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection

Published: September 14, 2017; 09:29:01 AM -04:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2015-3206

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.

Published: August 25, 2017; 02:29:00 PM -04:00
V3: 8.1 HIGH
V2: 6.8 MEDIUM
CVE-2014-4616

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

Published: August 24, 2017; 04:29:00 PM -04:00
V3: 5.9 MEDIUM
V2: 4.3 MEDIUM
CVE-2015-2674

Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.

Published: August 09, 2017; 02:29:01 PM -04:00
V3: 5.9 MEDIUM
V2: 4.3 MEDIUM
CVE-2017-12653

360 Total Security 9.0.0.1202 before 2017-07-07 allows Privilege Escalation via a Trojan horse Shcore.dll file in any directory in the PATH, as demonstrated by the C:\Python27 directory.

Published: August 07, 2017; 02:29:00 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2016-4000

Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

Published: July 06, 2017; 12:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2017-10803

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

Published: July 04, 2017; 02:29:00 PM -04:00
V3: 6.5 MEDIUM
V2: 8.5 HIGH
CVE-2017-9807

An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands via api/saveconfig.

Published: June 21, 2017; 11:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2017-2810

An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

Published: June 14, 2017; 09:29:00 AM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2015-3220

The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash).

Published: June 13, 2017; 12:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2017-9462

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

Published: June 06, 2017; 05:29:00 PM -04:00
V3: 8.8 HIGH
V2: 9.0 HIGH
CVE-2015-6531

Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file.

Published: June 01, 2017; 12:29:00 PM -04:00
V3: 7.8 HIGH
V2: 9.3 HIGH
CVE-2017-3590

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 2.1.5 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Published: April 24, 2017; 03:59:05 PM -04:00
V3: 3.3 LOW
V2: 2.1 LOW
CVE-2017-5524

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.

Published: March 23, 2017; 12:59:00 PM -04:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2017-7235

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.

Published: March 23, 2017; 12:59:00 AM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM