CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33595
https://notcve.org/view.php?id=CVE-2023-33595
CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c. • https://github.com/python/cpython/issues/103824 https://github.com/python/cpython/pull/103993/commits/c120bc2d354ca3d27d0c7a53bf65574ddaabaf3a • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-27043 – python: Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple
https://notcve.org/view.php?id=CVE-2023-27043
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. • http://python.org https://github.com/python/cpython/issues/102988 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY5 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-25082 – zwczou WeChat SDK Python to_xml xml external entity reference
https://notcve.org/view.php?id=CVE-2018-25082
A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. • https://github.com/zwczou/weixin-python/commit/e54abadc777715b6dcb545c13214d1dea63df6c9 https://github.com/zwczou/weixin-python/pull/30 https://github.com/zwczou/weixin-python/releases/tag/v0.5.5 https://vuldb.com/?ctiid.223403 https://vuldb.com/?id.223403 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24107
https://notcve.org/view.php?id=CVE-2023-24107
hour_of_code_python_2015 commit 520929797b9ca43bb818b2e8f963fb2025459fa3 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code. • https://github.com/jminh/hour_of_code_python_2015 https://github.com/jminh/hour_of_code_python_2015/issues/4 https://mirrors.neusoft.edu.cn/pypi/web/simple/request •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 4CVE-2023-24329 – python: urllib.parse url blocklisting bypass
https://notcve.org/view.php?id=CVE-2023-24329
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. A flaw was found in the Python package. An issue in the urllib.parse component could allow attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.This may lead to compromised Integrity. • https://github.com/JawadPy/CVE-2023-24329-Exploit https://github.com/Pandante-Central/CVE-2023-24329-codeql-test https://github.com/H4R335HR/CVE-2023-24329-PoC https://github.com/python/cpython/issues/102153 https://github.com/python/cpython/pull/99421 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72 https://lists.fedoraproject.org/archives/list/package-announ • CWE-20: Improper Input Validation •