Page 2 of 8 results (0.005 seconds)

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. Pallets Werkzeug en versiones anteriores a 0.15.3, cuando es usado con Docker, presenta una aleatoriedad insuficiente del PIN del depurador porque los contenedores Docker comparten la mismo id de máquina. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168 https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 https://palletsprojects.com/blog/werkzeug-0-15-3-released • CWE-331: Insufficient Entropy •

CVSS: 7.5EPSS: 84%CPEs: 2EXPL: 3

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. En Werkzeug de Pallets anterior a versión 0.15.5, la función SharedDataMiddleware maneja inapropiadamente los nombres de las unidades (tal y como C:) en los nombres de ruta de Windows. • https://www.exploit-db.com/exploits/50101 https://github.com/faisalfs10x/CVE-2019-14322-scanner http://packetstormsecurity.com/files/163398/Pallets-Werkzeug-0.15.4-Path-Traversal.html https://palletsprojects.com/blog/werkzeug-0-15-5-released • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. Vulnerabilidad Cross-Site Scripting (XSS) en la función render_full en debug/tbtools.py en el depurador en Pallets Werkzeug en versiones anteriores a la 0.11.11 (usado en Pallets Flask y otros productos) permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un campo que contenga un mensaje de excepción. • http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger https://github.com/pallets/werkzeug/pull/1001 https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html https://access.redhat.com/security/cve/CVE-2016-10516 https://bugzilla.redhat.com/show_bug.cgi?id=1512102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •