Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.41.2 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
sqlparse | 0.3.1 | <0.5.0 |
show Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process. |
sqlparse | 0.3.1 | >=0.1.15,<0.4.4 |
show Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service). https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.36.3 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
sqlparse | 0.3.1 | <0.5.0 |
show Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process. |
sqlparse | 0.3.1 | >=0.1.15,<0.4.4 |
show Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service). https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.36.3 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
sqlparse | 0.3.1 | <0.5.0 |
show Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process. |
sqlparse | 0.3.1 | >=0.1.15,<0.4.4 |
show Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service). https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
SQLAlchemy | 1.3.16 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.36.3 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
sqlparse | 0.3.1 | <0.5.0 |
show Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process. |
sqlparse | 0.3.1 | >=0.1.15,<0.4.4 |
show Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service). https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
SQLAlchemy | 1.3.16 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.36.3 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
Package | Installed | Affected | Info |
---|---|---|---|
py | 1.11.0 | <=1.11.0 |
show Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. https://github.com/pytest-dev/py/issues/287 |
WTForms | 2.3.1 | <3.0.0a1 |
show Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability. https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6 |
sqlparse | 0.3.1 | <0.5.0 |
show Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process. |
sqlparse | 0.3.1 | >=0.1.15,<0.4.4 |
show Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service). https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 1.0.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 1.0.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
SQLAlchemy | 1.3.16 | <2.0.0b1 |
show Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints. https://github.com/sqlalchemy/sqlalchemy/pull/8563 |
validators | 0.14.3 | >=0.11.0,<0.21.0 |
show Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link. https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff https://github.com/python-validators/validators/pull/243 |
Flask-Security | 3.0.0 | >=0,<5.3.3 |
show An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes. |
Flask-Security | 3.0.0 | >0 |
show All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. Note: Flask-Security is not maintained anymore. |
Flask-Security | 3.0.0 | <3.1.0 |
show Flask-security 3.1.0 fixes timing attack on login form. https://github.com/mattupstate/flask-security/pull/676 |
SQLAlchemy-Utils | 0.36.3 | >=0.27.0 |
show Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though. https://github.com/kvesteri/sqlalchemy-utils/issues/166 https://github.com/kvesteri/sqlalchemy-utils/pull/499 |
flask-session-captcha | 1.2.0 | <1.2.1 |
show Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work. https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 |
https://pyup.io/repos/github/fake-name/wlnupdates/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/fake-name/wlnupdates/python-3-shield.svg)](https://pyup.io/repos/github/fake-name/wlnupdates/)
.. image:: https://pyup.io/repos/github/fake-name/wlnupdates/python-3-shield.svg :target: https://pyup.io/repos/github/fake-name/wlnupdates/ :alt: Python 3
<a href="https://pyup.io/repos/github/fake-name/wlnupdates/"><img src="https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/fake-name/wlnupdates/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/fake-name/wlnupdates/
{<img src="https://pyup.io/repos/github/fake-name/wlnupdates/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/fake-name/wlnupdates/]
https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg
[![Updates](https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg)](https://pyup.io/repos/github/fake-name/wlnupdates/)
.. image:: https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg :target: https://pyup.io/repos/github/fake-name/wlnupdates/ :alt: Updates
<a href="https://pyup.io/repos/github/fake-name/wlnupdates/"><img src="https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg(Updates)!:https://pyup.io/repos/github/fake-name/wlnupdates/
{<img src="https://pyup.io/repos/github/fake-name/wlnupdates/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/fake-name/wlnupdates/]