CVSS: 10.0EPSS: 0%CPEs: 28EXPL: 0CVE-2024-53899 – virtualenv: potential command injection via virtual environment activation scripts
https://notcve.org/view.php?id=CVE-2024-53899
24 Nov 2024 — virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. A flaw was found in the virtualenv Python package. Due to the improper handling of quotes in magic template strings, the virtual environment activation script is vulnerable to OS command injection,leading to the loss of confidentiality,integrity and availability of the system. • https://github.com/pypa/virtualenv/issues/2768 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11073 – Remote Code Execution in Autoswitch Python Virtualenv
https://notcve.org/view.php?id=CVE-2020-11073
13 May 2020 — In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 En Autoswitch Python Virtualenv versiones anteriores a 0.16.0, un usuario que ingresa a un directorio con un archivo malicioso ".venv" podría ejecutar código arbitrario sin interacción del usuario. Esto es corregido en la versión: 1.16.0 • https://github.com/MichaelAquilina/zsh-autoswitch-virtualenv/commit/30c77db7c83eca2bc5f6134fccbdc117b49a6a05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.9EPSS: 12%CPEs: 10EXPL: 1CVE-2013-5123 – phlyLabs phlyMail Lite 4.03.04 - 'go' Open Redirect
https://notcve.org/view.php?id=CVE-2013-5123
05 Nov 2019 — The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. El soporte de duplicación (-M, --use-mirrors) en Python Pip versiones anteriores a la versión 1.5, utiliza consultas DNS no seguras y comprobaciones de autenticidad que permiten a atacantes realizar ataques de tipo man-in-the-middle. • https://www.exploit-db.com/exploits/24086 • CWE-287: Improper Authentication •