Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to…
[org.apache.tomcat:tomcat] Authentication Bypass in Apache Tomcat
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then pl…
[org.apache.tomcat:tomcat] Cross-Site Request Forgery in Apache Tomcat
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.
R…
[org.apache.tomcat:tomcat] Improper Access Control in Apache Tomcat
The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) a…
[ipython] Improper Neutralization of Input During Web Page Generation in IPython
Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path.
References
https://nvd.nist.gov/vuln/detail/CVE-201…
[ipython] IPython vulnerable to cross site request forgery (CSRF)
IPython (Interactive Python) is a command shell. Cross-site request forgery in the REST API is possible in in IPython 2 and 3. Versions 2.4.1 and 3.2.3 contain patches.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-5607
https://github.com/ipyth…
[org.jenkins-ci.plugins:git] Cross-Site Request Forgery in Jenkins Git Plugin
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into foll…
[Mistune] Cross-site Scripting in Mistune
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15612
https://github.com/lepture…
[org.springframework.amqp:spring-amqp] Deserialization of Untrusted Data in Spring AMQP
In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code e…
[org.wildfly:wildfly-undertow] Improper Neutralization of CRLF Sequences in Wildfly Undertow
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting att…