CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-40023 – python-mako: REDoS in Lexer class
https://notcve.org/view.php?id=CVE-2022-40023
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin. Sqlalchemy mako versiones anteriores a 1.2.2, es vulnerable a una Denegación de Servicio de expresiones Regulares cuando es usada la clase Lexer para analizar. Esto también afecta a babelplugin y linguaplugin A vulnerability was found in the mako package. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability. • https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21 https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c https://github.com/sqlalchemy/mako/issues/366 https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages https://pyup.io/vulnerabilities/CVE-2022-40023/50870 https://access.redhat.com/security/cve/CVE-2022-40023 https://bugzilla.redhat.com • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.3EPSS: 0%CPEs: 22EXPL: 0CVE-2010-2480
https://notcve.org/view.php?id=CVE-2010-2480
Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element. Mako antes de v0.3.4 basa la protección ante ataques de ejecución de comandos en sitios cruzados (XSS) en la función cgi.escape de la biblioteca estandar de Python, lo que facilita a los atacantes remotos para realizar ataques XSS a través de vectores relacionados con los caracteres con una sola comilla y un controlador de evento onLoad de JavaScript para un elemento BODY. • http://bugs.python.org/issue9061 http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html http://secunia.com/advisories/39935 http://www.makotemplates.org/CHANGES • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •