CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11073 – Remote Code Execution in Autoswitch Python Virtualenv
https://notcve.org/view.php?id=CVE-2020-11073
13 May 2020 — In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 En Autoswitch Python Virtualenv versiones anteriores a 0.16.0, un usuario que ingresa a un directorio con un archivo malicioso ".venv" podría ejecutar código arbitrario sin interacción del usuario. Esto es corregido en la versión: 1.16.0 • https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/commit/30c77db7c83eca2bc5f6134fccbdc117b49a6a05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11888
https://notcve.org/view.php?id=CVE-2020-11888
20 Apr 2020 — python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute. python-markdown2 versiones hasta 2.3.8, permite un ataque de tipo XSS porque los nombres de los elementos se manejan inapropiadamente a menos que una coincidencia de \w+ tenga éxito. Por ejemplo, un ataque podría usar elementname@ o elementname- con un atributo onclick. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00031.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5106
https://notcve.org/view.php?id=CVE-2013-5106
12 Feb 2020 — A Code Execution vulnerability exists in select.py when using python-mode 2012-12-19. Se presenta una vulnerabilidad de ejecución de código en el archivo select.py cuando se utiliza el python-mode 2012-12-19. • http://github.com/klen/python-mode/issues/162 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2019-9674 – Ubuntu Security Notice USN-6891-1
https://notcve.org/view.php?id=CVE-2019-9674
04 Feb 2020 — Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. La biblioteca Lib/zipfile.py en Python versiones hasta 3.7.2, permite a atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de una bomba ZIP. USN-4754-1 fixed vulnerabilities in Python. This update provides the corresponding updates for Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. In the case of Python 2.7 for 20.04 ESM, these additional fixes are inclu... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.1EPSS: 4%CPEs: 15EXPL: 1CVE-2020-8492 – python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
https://notcve.org/view.php?id=CVE-2020-8492
30 Jan 2020 — Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. Python versiones 2.7 hasta 2.7.17, versiones 3.5 hasta 3.5.9, versiones 3.6 hasta 3.6.10, versiones 3.7 hasta 3.7.6 y versiones 3.8 hasta 3.8.1, permiten a un servidor HTTP conducir ataques de Denegación de Servicio de Expre... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-8315
https://notcve.org/view.php?id=CVE-2020-8315
28 Jan 2020 — In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected. En Python (CPython) versiones 3.6 hasta 3.6.10, 3.7 hasta 3.7.6 y 3.8 hasta 3.8.1, una carga de dependencia no segura al iniciarse en Windows 7 puede resultar en una copia del atacante de api-ms-win-core-path- l1-1-0.dll ... • https://bugs.python.org/issue39401 • CWE-427: Uncontrolled Search Path Element •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2009-3724
https://notcve.org/view.php?id=CVE-2009-3724
15 Jan 2020 — python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. python-markdown2 versiones anteriores a la versión 1.0.1.14, tiene múltiples problemas de tipo cross-site scripting (XSS) . • https://snyk.io/vuln/SNYK-PYTHON-PYRAD-40000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0161
https://notcve.org/view.php?id=CVE-2014-0161
02 Jan 2020 — ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate. ovirt-engine-sdk-python versiones anteriores a la versión 3.4.0.7 y 3.5.0.4, no comprueba que el nombre de host del endpoint remoto coincida con el Common Name (CN) o subjectAltName según lo... • https://access.redhat.com/security/cve/cve-2014-0161 • CWE-295: Improper Certificate Validation •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 2CVE-2019-14859 – python-ecdsa: DER encoding is not being verified in signatures
https://notcve.org/view.php?id=CVE-2019-14859
18 Nov 2019 — A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14853 – python-ecdsa: Unexpected and undocumented exceptions during signature decoding
https://notcve.org/view.php?id=CVE-2019-14853
18 Nov 2019 — An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. Se encontró un error de manejo de errores en python-ecdsa anterior de la versión 0.13.3. Durante la decodificación de firmas, las firmas DER mal formadas pueden generar excepciones inesperadas (o ninguna excepción), lo que podría conducir a una denegación de servicio. An error-handling... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853 • CWE-391: Unchecked Error Condition CWE-755: Improper Handling of Exceptional Conditions •