Page 2 of 16 results (0.010 seconds)

CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads, particularly those using components that process or display user-uploaded files. • https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. • https://github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx • CWE-285: Improper Authorization •

CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using `..` (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. This primarily impacts users relying on Gradio’s blocklist or directory access validation, particularly when handling file uploads. • https://github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. • https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9 • CWE-285: Improper Authorization •

CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the request. Although the traversal is limited to a single directory level, it could expose proprietary or sensitive code that developers intended to keep private. This impacts users who have developed custom Gradio components and are hosting them on publicly accessible servers. • https://github.com/gradio-app/gradio/security/advisories/GHSA-37qc-qgx6-9xjv • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •