Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-5992
https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f4…
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.
References
https://nvd.nist.gov/vuln/detail/CVE-20…
PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-10127
https://github.com/rohe/pysaml2/issues/366
https://github.com/rohe/pysa…
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blo…
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain …
HKDF in cryptography before 1.5.3 returns an empty byte-string if used with a length less than algorithm.digest_size.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-9243
https://github.com/pyca/cryptography/issues/3211
https://github.com/pyca/cr…
JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-6348
https://bugzilla.redhat.com/show_bug.cgi?id=1372129
https://github.com/a…
java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive reque…
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-8557
h…
Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-9785
https://github.com/NancyFx/Nancy/releases/tag/v…
