CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-25082 – zwczou WeChat SDK Python to_xml xml external entity reference
https://notcve.org/view.php?id=CVE-2018-25082
A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. • https://github.com/zwczou/weixin-python/commit/e54abadc777715b6dcb545c13214d1dea63df6c9 https://github.com/zwczou/weixin-python/pull/30 https://github.com/zwczou/weixin-python/releases/tag/v0.5.5 https://vuldb.com/?ctiid.223403 https://vuldb.com/?id.223403 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24107
https://notcve.org/view.php?id=CVE-2023-24107
hour_of_code_python_2015 commit 520929797b9ca43bb818b2e8f963fb2025459fa3 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code. • https://github.com/jminh/hour_of_code_python_2015 https://github.com/jminh/hour_of_code_python_2015/issues/4 https://mirrors.neusoft.edu.cn/pypi/web/simple/request •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 4CVE-2023-24329 – python: urllib.parse url blocklisting bypass
https://notcve.org/view.php?id=CVE-2023-24329
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. A flaw was found in the Python package. An issue in the urllib.parse component could allow attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.This may lead to compromised Integrity. • https://github.com/JawadPy/CVE-2023-24329-Exploit https://github.com/Pandante-Central/CVE-2023-24329-codeql-test https://github.com/H4R335HR/CVE-2023-24329-PoC https://github.com/python/cpython/issues/102153 https://github.com/python/cpython/pull/99421 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72 https://lists.fedoraproject.org/archives/list/package-announ • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40897 – pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py
https://notcve.org/view.php?id=CVE-2022-40897
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Las herramientas de configuración Python Packaging Authority (PyPA) anteriores a 65.5.1 permiten a atacantes remotos provocar una Denegación de Servicio (DoS) a través de HTML en un paquete manipulado o en una página PackageIndex personalizada. Hay una Denegación de Servicio (DoS) de expresión regular (ReDoS) en package_index.py. A flaw was found in Python Setuptools due to a regular expression Denial of Service (ReDoS) present in package_index.py. • https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H https://pyup.io/posts/pyup-discovers- • CWE-185: Incorrect Regular Expression CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45199
https://notcve.org/view.php?id=CVE-2022-45199
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. Pillow anterior a 9.3.0 permite la denegación de servicio a través de SAMPLESPERPIXEL. • https://bugs.gentoo.org/878769 https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3 https://github.com/python-pillow/Pillow/pull/6700 https://github.com/python-pillow/Pillow/releases/tag/9.3.0 https://security.gentoo.org/glsa/202211-10 • CWE-400: Uncontrolled Resource Consumption •