CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11073 – Remote Code Execution in Autoswitch Python Virtualenv
https://notcve.org/view.php?id=CVE-2020-11073
In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 En Autoswitch Python Virtualenv versiones anteriores a 0.16.0, un usuario que ingresa a un directorio con un archivo malicioso ".venv" podría ejecutar código arbitrario sin interacción del usuario. Esto es corregido en la versión: 1.16.0 • https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/commit/30c77db7c83eca2bc5f6134fccbdc117b49a6a05 https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/issues/122 https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/pull/123 https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/security/advisories/GHSA-h8wm-cqq6-957q • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11888
https://notcve.org/view.php?id=CVE-2020-11888
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute. python-markdown2 versiones hasta 2.3.8, permite un ataque de tipo XSS porque los nombres de los elementos se manejan inapropiadamente a menos que una coincidencia de \w+ tenga éxito. Por ejemplo, un ataque podría usar elementname@ o elementname- con un atributo onclick. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00035.html https://github.com/trentm/python-markdown2/issues/348 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XOAIRJJCZNJUALXDHSIGH5PS2H63A3J https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AQLRBGRVRRZK7P5SFL2MNGXFX37YHJAV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7212
https://notcve.org/view.php?id=CVE-2020-7212
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). • https://github.com/urllib3/urllib3/blob/master/CHANGES.rst https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a https://pypi.org/project/urllib3/1.25.8 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5106
https://notcve.org/view.php?id=CVE-2013-5106
A Code Execution vulnerability exists in select.py when using python-mode 2012-12-19. Se presenta una vulnerabilidad de ejecución de código en el archivo select.py cuando se utiliza el python-mode 2012-12-19. • http://github.com/klen/python-mode/issues/162 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2019-9674
https://notcve.org/view.php?id=CVE-2019-9674
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. La biblioteca Lib/zipfile.py en Python versiones hasta 3.7.2, permite a atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de una bomba ZIP. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html https://bugs.python.org/issue36260 https://bugs.python.org/issue36462 https://github.com/python/cpython/blob/master/Lib/zipfile.py https://python-security.readthedocs.io/security.html#archives-and-zip-bomb https://security.netapp.com/advisory/ntap-20200221-0003 https://usn.ubuntu.com/4428-1 https://www.python.org/news/security • CWE-400: Uncontrolled Resource Consumption •