Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pythonpaste | paste | * |
| pythonpaste | paste | 0.3 |
| pythonpaste | paste | 1.7.1 |
| pythonpaste | paste | 1.7.3 |
| pythonpaste | paste | 0.9.1 |
| pythonpaste | paste | 0.5 |
| pythonpaste | paste | 1.4.2 |
| pythonpaste | paste | 1.7 |
| pythonpaste | paste | 1.2 |
| pythonpaste | paste | 1.7.2 |
| pythonpaste | paste | 1.0.1 |
| pythonpaste | paste | 0.9.4 |
| pythonpaste | paste | 1.3 |
| pythonpaste | paste | 1.6 |
| pythonpaste | paste | 1.1.1 |
| pythonpaste | paste | 1.5 |
| pythonpaste | paste | 0.1.0 |
| pythonpaste | paste | 1.1 |
| pythonpaste | paste | 1.4 |
| pythonpaste | paste | 0.4.1 |
| pythonpaste | paste | 0.9.3 |
| pythonpaste | paste | 0.9.2 |
Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pythonpaste | paste | * |