data/insecure_full.json

{
    "acqusition": [
        {
            "advisory": "acqusition is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34978",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "aegea": [
        {
            "advisory": "Aegea 2.2.7 avoids CVE-2018-1000805.",
            "cve": "CVE-2018-1000805",
            "id": "pyup.io-37611",
            "specs": [
                "<2.2.7"
            ],
            "v": "<2.2.7"
        }
    ],
    "aethos": [
        {
            "advisory": "Aethos 0.3.0.1 hotfixed NLTK package in setup.py and the vulnerable version.",
            "cve": null,
            "id": "pyup.io-37721",
            "specs": [
                "<0.3.0.1"
            ],
            "v": "<0.3.0.1"
        }
    ],
    "agraph-python": [
        {
            "advisory": "Agraph-python before 101.0.3 updates numpy to 1.16.0 and urllib3 to 1.24.2 for security reasons.",
            "cve": null,
            "id": "pyup.io-37085",
            "specs": [
                "<101.0.3"
            ],
            "v": "<101.0.3"
        }
    ],
    "aiida": [
        {
            "advisory": "Aiida 0.12.3 fixes a security vulnerability by upgrading `paramiko` to `2.4.2`.",
            "cve": null,
            "id": "pyup.io-37054",
            "specs": [
                "<0.12.3"
            ],
            "v": "<0.12.3"
        }
    ],
    "aiida-core": [
        {
            "advisory": "aiida-core 0.12.3 fixes security vulnerability by upgrading `paramiko` to `2.4.2`",
            "cve": null,
            "id": "pyup.io-36956",
            "specs": [
                "<0.12.3"
            ],
            "v": "<0.12.3"
        }
    ],
    "aiocoap": [
        {
            "advisory": "The proxy in aiocoap 0.4a1 only creates log files when explicitly requested (18ddf8c). Also, support for secured protocols has been added.",
            "cve": null,
            "id": "pyup.io-37469",
            "specs": [
                "<0.4a1"
            ],
            "v": "<0.4a1"
        }
    ],
    "aiocouchdb": [
        {
            "advisory": "aiocouchdb 0.6.0 now correctly set members for database security.",
            "cve": null,
            "id": "pyup.io-25612",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "aioftp": [
        {
            "advisory": "The server of aioftp 0.15.0 uses explicit mapping of available commands for security reasons.",
            "cve": null,
            "id": "pyup.io-38045",
            "specs": [
                "<0.15.0"
            ],
            "v": "<0.15.0"
        }
    ],
    "aiohttp": [
        {
            "advisory": "aiohttp 0.16.3 fixes a StaticRoute vulnerability to directory traversal attacks.",
            "cve": null,
            "id": "pyup.io-25613",
            "specs": [
                "<0.16.3"
            ],
            "v": "<0.16.3"
        }
    ],
    "aiohttp-auth-autz": [
        {
            "advisory": "aiohttp-auth-autz before 0.2.0 isn't correctly checking the user_id in acl middleware, leading to a possible permission escalation.",
            "cve": null,
            "id": "pyup.io-32971",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "aiohttp-jinja2": [
        {
            "advisory": "Aiohttp-jinja2 1.1.1 bumps minimal supported ``jinja2`` version to 2.10.1 to avoid a security vulnerability problem.",
            "cve": null,
            "id": "pyup.io-37095",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        }
    ],
    "aioli": [
        {
            "advisory": "aioli 0.16.3 fixes StaticRoute vulnerability to directory traversal attacks.",
            "cve": null,
            "id": "pyup.io-37007",
            "specs": [
                "<0.16.3"
            ],
            "v": "<0.16.3"
        }
    ],
    "aldryn-django": [
        {
            "advisory": "aldryn-django 1.8.10.1 uses an insecure Django release, 1.8.9.",
            "cve": null,
            "id": "pyup.io-25614",
            "specs": [
                "<1.8.10.1"
            ],
            "v": "<1.8.10.1"
        },
        {
            "advisory": "aldryn-django before 1.8.18.1 uses an insecure Django release (Django <1.8.18).",
            "cve": null,
            "id": "pyup.io-34512",
            "specs": [
                "<1.8.18.1"
            ],
            "v": "<1.8.18.1"
        }
    ],
    "alexandra": [
        {
            "advisory": "alexandra 0.4.0 bumps dependency versions to avoid pyOpenSSL vulnerability",
            "cve": null,
            "id": "pyup.io-36552",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "allennlp": [
        {
            "advisory": "allennlp 0.6.1 upgrades flask to avoid security vulnerability.",
            "cve": null,
            "id": "pyup.io-36530",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "alt-model-checkpoint": [
        {
            "advisory": "alt-model-checkpoint 1.0.1 upgrades dependencies, esp. for requests==2.20.0 security patch",
            "cve": null,
            "id": "pyup.io-36628",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "ambient-api": [
        {
            "advisory": "ambient-api 1.5.2 updates requirements.txt to use requests>=2.2.0 due to a security vulnerability.",
            "cve": null,
            "id": "pyup.io-36594",
            "specs": [
                "<1.5.2"
            ],
            "v": "<1.5.2"
        }
    ],
    "ampache": [
        {
            "advisory": "ampache 3.6alpha1 fixes persistent XSS vulnerabilities in user self-editing and in AJAX object editing",
            "cve": null,
            "id": "pyup.io-37866",
            "specs": [
                "<3.6-alpha5"
            ],
            "v": "<3.6-alpha5"
        },
        {
            "advisory": "ampache 3.8 fixes an XSS vulnerability - see CVE-2014-8620",
            "cve": "CVE-2014-8620",
            "id": "pyup.io-37865",
            "specs": [
                "<3.8.0"
            ],
            "v": "<3.8.0"
        },
        {
            "advisory": "ampache 3.8.2 fixes a potential security vulnerability on smartplaylist search rule and catalog management actions",
            "cve": null,
            "id": "pyup.io-37864",
            "specs": [
                "<3.8.2"
            ],
            "v": "<3.8.2"
        },
        {
            "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12385 for the SQL Injection\r\n* Resolves CVE-2019-12386 for the persistent XSS\r\n* Resolves NS-18-046 Multiple Reflected Cross-site Scripting Vulnerabilities in Ampache 3.9.0",
            "cve": "CVE-2019-12385, CVE-2019-12386",
            "id": "pyup.io-37863",
            "specs": [
                "<4.0.0"
            ],
            "v": "<4.0.0"
        }
    ],
    "anncolvar": [
        {
            "advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.",
            "cve": null,
            "id": "pyup.io-36803",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "annotator": [
        {
            "advisory": "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.",
            "cve": null,
            "id": "pyup.io-25615",
            "specs": [
                "<0.11.2"
            ],
            "v": "<0.11.2"
        }
    ],
    "ansible": [
        {
            "advisory": "ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections.",
            "cve": null,
            "id": "pyup.io-25616",
            "specs": [
                "<1.2.3"
            ],
            "v": "<1.2.3"
        },
        {
            "advisory": "ansible 1.5.4 includes a security fix for safe_eval, which further hardens the checking of the evaluation function.",
            "cve": null,
            "id": "pyup.io-25617",
            "specs": [
                "<1.5.4"
            ],
            "v": "<1.5.4"
        },
        {
            "advisory": "ansible 1.5.5 includes a security fix for vault, to ensure the umask is set to a restrictive mode before creating/editing vault files.",
            "cve": null,
            "id": "pyup.io-25618",
            "specs": [
                "<1.5.5"
            ],
            "v": "<1.5.5"
        },
        {
            "advisory": "ansible includes 1.6.4 security updates related to evaluation of untrusted remote inputs.",
            "cve": null,
            "id": "pyup.io-25619",
            "specs": [
                "<1.6.4"
            ],
            "v": "<1.6.4"
        },
        {
            "advisory": "ansible 1.6.6 includes security updates to further protect against the incorrect execution of untrusted data.",
            "cve": null,
            "id": "pyup.io-25620",
            "specs": [
                "<1.6.6"
            ],
            "v": "<1.6.6"
        },
        {
            "advisory": "ansible 1.6.7 contains two security fixes:\r\n  * Strip lookup calls out of inventory variables and clean unsafe data\r\n    returned from lookup plugins (CVE-2014-4966)\r\n  * Make sure vars don't insert extra parameters into module args and prevent\r\n    duplicate params from superseding previous params (CVE-2014-4967)",
            "cve": "CVE-2014-4967",
            "id": "pyup.io-25621",
            "specs": [
                "<1.6.7"
            ],
            "v": "<1.6.7"
        },
        {
            "advisory": "ansible 1.7 contains two security fixes:\r\n- Prevent the use of lookups when using legacy \" \" syntax around variables and with_* loops.\r\n  - Remove relative paths in TAR-archived file names used by ansible-galaxy.",
            "cve": null,
            "id": "pyup.io-25622",
            "specs": [
                "<1.7"
            ],
            "v": "<1.7"
        },
        {
            "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.",
            "cve": null,
            "id": "pyup.io-25623",
            "specs": [
                "<1.7.1"
            ],
            "v": "<1.7.1"
        },
        {
            "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view <filename>\".",
            "cve": null,
            "id": "pyup.io-25624",
            "specs": [
                "<1.8.3"
            ],
            "v": "<1.8.3"
        },
        {
            "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
            "cve": "CVE-2015-3908",
            "id": "pyup.io-25625",
            "specs": [
                "<1.9.2"
            ],
            "v": "<1.9.2"
        },
        {
            "advisory": "The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
            "cve": "CVE-2016-3096",
            "id": "pyup.io-25626",
            "specs": [
                "<1.9.6"
            ],
            "v": "<1.9.6"
        },
        {
            "advisory": "The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
            "cve": "CVE-2016-3096",
            "id": "pyup.io-25627",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        },
        {
            "advisory": "ansible before 2.2.1 is vulnerable to arbitrary code execution. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as.",
            "cve": null,
            "id": "pyup.io-33286",
            "specs": [
                "<2.2.1"
            ],
            "v": "<2.2.1"
        },
        {
            "advisory": "ansible before 2.3.1 is vulnerable to CVE-2017-7481 - data for lookup plugins used as variables was not being correctly marked as \"unsafe\".",
            "cve": null,
            "id": "pyup.io-34941",
            "specs": [
                "<2.3.1"
            ],
            "v": "<2.3.1"
        }
    ],
    "ansible-runner": [
        {
            "advisory": "ansible-runner 1.3.1 adds fixes to make default file permissions much more secure, upgrading is recommended.",
            "cve": null,
            "id": "pyup.io-36995",
            "specs": [
                "<1.3.1"
            ],
            "v": "<1.3.1"
        }
    ],
    "ansible-vault": [
        {
            "advisory": "An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.",
            "cve": "CVE-2017-2809",
            "id": "pyup.io-35730",
            "specs": [
                "<1.0.5"
            ],
            "v": "<1.0.5"
        }
    ],
    "ansigenome": [
        {
            "advisory": "ansigenome before 0.6.0 uses yaml.load instead of yaml.safe_load, allowing a code execution vulnerability.",
            "cve": null,
            "id": "pyup.io-34505",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "apache-airflow": [
        {
            "advisory": "apache-airflow 1.10.0 fixes XSS vulnerability in Variable endpoint",
            "cve": null,
            "id": "pyup.io-36832",
            "specs": [
                "<1.10.0"
            ],
            "v": "<1.10.0"
        }
    ],
    "apache-libcloud": [
        {
            "advisory": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
            "cve": "CVE-2012-3446",
            "id": "pyup.io-25628",
            "specs": [
                "<0.11.1"
            ],
            "v": "<0.11.1"
        },
        {
            "advisory": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.",
            "cve": "CVE-2013-6480",
            "id": "pyup.io-25629",
            "specs": [
                "<0.13.3"
            ],
            "v": "<0.13.3"
        },
        {
            "advisory": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.",
            "cve": "CVE-2010-4340",
            "id": "pyup.io-35343",
            "specs": [
                "<0.4.1"
            ],
            "v": "<0.4.1"
        }
    ],
    "apidev-coop": [
        {
            "advisory": "apidev-coop is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34979",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "appdaemon": [
        {
            "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.",
            "cve": null,
            "id": "pyup.io-37096",
            "specs": [
                "<3.0.4"
            ],
            "v": "<3.0.4"
        }
    ],
    "appdaemontestframework": [
        {
            "advisory": "appdaemontestframework 2.0.1 updates dependencies to prevent security vulnerabilities",
            "cve": null,
            "id": "pyup.io-37908",
            "specs": [
                "<2.0.1"
            ],
            "v": "<2.0.1"
        },
        {
            "advisory": "appdaemontestframework 2.3.3 update dependencies to fix security vulnerability",
            "cve": null,
            "id": "pyup.io-37907",
            "specs": [
                "<2.3.3"
            ],
            "v": "<2.3.3"
        }
    ],
    "apphelpers": [
        {
            "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.",
            "cve": null,
            "id": "pyup.io-37151",
            "specs": [
                "<0.9.2"
            ],
            "v": "<0.9.2"
        }
    ],
    "appwrite": [
        {
            "advisory": "Appwrite 0.4.0:\r\n* Includes a PHP-FPM security patch fix (https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest) - Upgraded PHP version to 7.3.12 [Major]\r\n* Removes executable permission from avatars files [Minor]\r\n* Updates SDK Generator Twig dependency with security issue: https://www.exploit-db.com/exploits/44102 [Minor]",
            "cve": null,
            "id": "pyup.io-37717",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "archmage": [
        {
            "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.",
            "cve": "CVE-2015-1589",
            "id": "pyup.io-25630",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        }
    ],
    "aspen": [
        {
            "advisory": "aspen 0.39 fixes two security bugs related to CRLF injection -   https://github.com/gratipay/security-qf35us/issues/1",
            "cve": null,
            "id": "pyup.io-36873",
            "specs": [
                "<0.39"
            ],
            "v": "<0.39"
        },
        {
            "advisory": "aspen 0.42 protects against URL redirection attacks (#471)",
            "cve": null,
            "id": "pyup.io-36872",
            "specs": [
                "<0.42"
            ],
            "v": "<0.42"
        }
    ],
    "astropy": [
        {
            "advisory": "astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical  security vulnerability that was identified by NASA.",
            "cve": null,
            "id": "pyup.io-35810",
            "specs": [
                "<3.0.1"
            ],
            "v": "<3.0.1"
        }
    ],
    "att-iot-gateway": [
        {
            "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.",
            "cve": null,
            "id": "pyup.io-34257",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "authbwc": [
        {
            "advisory": "authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded.  This vulnerability made it possible for a user to gain the permissions of the user logged in previously.  The user would have had to be sharing the same http session for this access to have been gained.",
            "cve": null,
            "id": "pyup.io-25631",
            "specs": [
                "<0.1.4"
            ],
            "v": "<0.1.4"
        },
        {
            "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.",
            "cve": null,
            "id": "pyup.io-34836",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        }
    ],
    "autobahn": [
        {
            "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.",
            "cve": null,
            "id": "pyup.io-25632",
            "specs": [
                "<0.15.0"
            ],
            "v": "<0.15.0"
        },
        {
            "advisory": "autobahn 0.6.4 fixes a security issue related to a WAMP-CRA timing attack very, very unlikely to be exploitable.",
            "cve": null,
            "id": "pyup.io-25633",
            "specs": [
                "<0.6.4"
            ],
            "v": "<0.6.4"
        }
    ],
    "avocado-framework": [
        {
            "advisory": "avocado-framework 0.17.0 fixes a temporary dir issue, that had potential security implications.",
            "cve": null,
            "id": "pyup.io-34679",
            "specs": [
                "<0.17.0"
            ],
            "v": "<0.17.0"
        }
    ],
    "awkward": [
        {
            "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.",
            "cve": null,
            "id": "pyup.io-37154",
            "specs": [
                "<0.10.1"
            ],
            "v": "<0.10.1"
        }
    ],
    "aws-parallelcluster": [
        {
            "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.",
            "cve": null,
            "id": "pyup.io-37211",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],
    "awscli": [
        {
            "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.",
            "cve": null,
            "id": "pyup.io-34627",
            "specs": [
                "<1.11.83"
            ],
            "v": "<1.11.83"
        }
    ],
    "backend.ai-manager": [
        {
            "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon.  Importing as service-port only image support will be added in future releases.",
            "cve": null,
            "id": "pyup.io-37531",
            "specs": [
                "<19.09.0rc4"
            ],
            "v": "<19.09.0rc4"
        }
    ],
    "bakercm": [
        {
            "advisory": "bakercm 0.4.4 updates pythoncryptodome after security issue #16",
            "cve": null,
            "id": "pyup.io-36651",
            "specs": [
                "<0.4.4"
            ],
            "v": "<0.4.4"
        }
    ],
    "basketball-reference-web-scraper": [
        {
            "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.",
            "cve": null,
            "id": "pyup.io-37123",
            "specs": [
                "<4.2.2"
            ],
            "v": "<4.2.2"
        },
        {
            "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability. This also fulfills the requirement to update the `requests` version.",
            "cve": null,
            "id": "pyup.io-37195",
            "specs": [
                "<4.2.3"
            ],
            "v": "<4.2.3"
        }
    ],
    "bbcode": [
        {
            "advisory": "bbcode 1.0.9 escapes quotes correctly to prevent XSS",
            "cve": null,
            "id": "pyup.io-25634",
            "specs": [
                "<1.0.9"
            ],
            "v": "<1.0.9"
        }
    ],
    "beaker": [
        {
            "advisory": "beaker 0.9.4 fixes security issue with Beaker not properly removing directory escaping characters from the session ID when un-signed sessions are used.",
            "cve": null,
            "id": "pyup.io-25635",
            "specs": [
                "<0.9.4"
            ],
            "v": "<0.9.4"
        },
        {
            "advisory": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.",
            "cve": "CVE-2012-3458",
            "id": "pyup.io-25636",
            "specs": [
                "<1.6.4"
            ],
            "v": "<1.6.4"
        }
    ],
    "benchexec": [
        {
            "advisory": "Benchexec 2.2 fixes two security issues:\r\n- Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\n- The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report (https://github.com/sosy-lab/benchexec/issues/new).",
            "cve": null,
            "id": "pyup.io-37510",
            "specs": [
                "<2.2"
            ],
            "v": "<2.2"
        }
    ],
    "bepasty": [
        {
            "advisory": "bepasty 0.3.0 contains two security fixes:  \r\n- When showing potentially dangerous text/* types, force the\r\n  content-type to be text/plain and also turn the browser's sniffer off.\r\n- Prevent disclosure of locked item's metadata",
            "cve": null,
            "id": "pyup.io-25637",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "berglas": [
        {
            "advisory": "Berglas 0.2.0 no longer trusts the environment variables.",
            "cve": null,
            "id": "pyup.io-37340",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "bigchaindb-driver": [
        {
            "advisory": "bigchaindb-driver before 0.5.2 used an unsecure version of `cryptoconditions` - CVE-2018-10903",
            "cve": null,
            "id": "pyup.io-36427",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "bigdl": [
        {
            "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11",
            "cve": null,
            "id": "pyup.io-37576",
            "specs": [
                "<0.8.0"
            ],
            "v": "<0.8.0"
        }
    ],
    "bincrafters-envy": [
        {
            "advisory": "bincrafters-envy 0.1.3 updates the request module",
            "cve": null,
            "id": "pyup.io-36732",
            "specs": [
                "<0.1.3"
            ],
            "v": "<0.1.3"
        }
    ],
    "birdhousebuilder-recipe-nginx": [
        {
            "advisory": "birdhousebuilder-recipe-nginx  0.1.5 disables the use of SSLv3 (poodle attack).",
            "cve": null,
            "id": "pyup.io-36135",
            "specs": [
                "<0.1.5"
            ],
            "v": "<0.1.5"
        }
    ],
    "birdhousebuilder.recipe.nginx": [
        {
            "advisory": "birdhousebuilder.recipe.nginx 0.1.5 disabled SSLv3 due to the poodle attack.",
            "cve": null,
            "id": "pyup.io-25638",
            "specs": [
                "<0.1.5"
            ],
            "v": "<0.1.5"
        }
    ],
    "bise.theme": [
        {
            "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.",
            "cve": null,
            "id": "pyup.io-25639",
            "specs": [
                "<2.4"
            ],
            "v": "<2.4"
        }
    ],
    "bitbot": [
        {
            "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.",
            "cve": null,
            "id": "pyup.io-37551",
            "specs": [
                "<1.12.0"
            ],
            "v": "<1.12.0"
        }
    ],
    "bjoern": [
        {
            "advisory": "bjoern before 1.4.2 uses a insecure Django release which is vulnerable to CVE-2015-0219, see https://www.djangoproject.com/weblog/2015/jan/13/security/.",
            "cve": null,
            "id": "pyup.io-25640",
            "specs": [
                "<1.4.2"
            ],
            "v": "<1.4.2"
        }
    ],
    "bleach": [
        {
            "advisory": "bleach 2.1 converts control characters (backspace particularly) to \"?\" preventing malicious copy-and-paste situations.",
            "cve": null,
            "id": "pyup.io-34965",
            "specs": [
                "<2.1"
            ],
            "v": "<2.1"
        },
        {
            "advisory": "The ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior in Bleach versions v2.1.4, v3.0.2, and v3.1.0 (and probably earlier versions too). \r\n\r\nCalls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.\r\n\r\nSee: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315",
            "cve": null,
            "id": "pyup.io-37910",
            "specs": [
                "<=3.1.0"
            ],
            "v": "<=3.1.0"
        },
        {
            "advisory": "The ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags in Bleach versions <= 3.1.1 did not match browser behavior and could result in a mutation XSS.\r\n\r\nCalls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\r\n\r\nThis security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.",
            "cve": null,
            "id": "pyup.io-38076",
            "specs": [
                "<=3.1.1"
            ],
            "v": "<=3.1.1"
        },
        {
            "advisory": "The ``bleach.clean`` behavior parsing style attributes in bleach before 3.1.4 could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``.  This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.",
            "cve": null,
            "id": "pyup.io-38107",
            "specs": [
                "<=3.1.3"
            ],
            "v": "<=3.1.3"
        },
        {
            "advisory": "bleach  2.1.3 fixes a security issue.  Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.",
            "cve": "CVE-2018-7753",
            "id": "pyup.io-35792",
            "specs": [
                ">=2.1,<2.1.3"
            ],
            "v": ">=2.1,<2.1.3"
        }
    ],
    "blinkpy": [
        {
            "advisory": "blinkpy 0.10.2 sets minimum required version of the requests library to 2.20.0 due to vulnerability in earlier releases.",
            "cve": null,
            "id": "pyup.io-36596",
            "specs": [
                "<0.10.2"
            ],
            "v": "<0.10.2"
        }
    ],
    "block-io": [
        {
            "advisory": "block-io 1.1.7 includes a fix for CVE-2013-7459 - https://security-tracker.debian.org/tracker/CVE-2013-7459",
            "cve": "CVE-2013-7459",
            "id": "pyup.io-36442",
            "specs": [
                "<1.1.7"
            ],
            "v": "<1.1.7"
        },
        {
            "advisory": "block-io 1.1.9 includes a Fix for Requests vulnerability: [CVE-2018-18074](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074)",
            "cve": null,
            "id": "pyup.io-36712",
            "specs": [
                "<1.1.9"
            ],
            "v": "<1.1.9"
        }
    ],
    "bodhi": [
        {
            "advisory": "bodhi 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is\r\nwarped to make it more difficult to solve through automation.\r\n\r\n- https://github.com/fedora-infra/bodhi/pull/857\r\n- https://github.com/fedora-infra/bodhi/commit/f0122855",
            "cve": null,
            "id": "pyup.io-34274",
            "specs": [
                "<2.2.0"
            ],
            "v": "<2.2.0"
        },
        {
            "advisory": "In bodhi before 2.9.1 it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects.",
            "cve": null,
            "id": "pyup.io-35208",
            "specs": [
                "<2.9.1"
            ],
            "v": "<2.9.1"
        }
    ],
    "bodhi-server": [
        {
            "advisory": "bodhi-server 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is\\r\\nwarped to make it more difficult to solve through automation.\\r\\n\\r\\n- https://github.com/fedora-infra/bodhi/pull/857\\r\\n- https://github.com/fedora-infra/bodhi/commit/f0122855",
            "cve": null,
            "id": "pyup.io-34241",
            "specs": [
                "<2.2.0"
            ],
            "v": "<2.2.0"
        }
    ],
    "bok-choy": [
        {
            "advisory": "bok-choy 0.5.1 contains a fix to XSS vulnerability in the auditing feature.",
            "cve": null,
            "id": "pyup.io-25641",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "bokeh": [
        {
            "advisory": "bokeh before 1.0.4 used a Pyyaml version that was vulnerable to cve-2017-18342",
            "cve": null,
            "id": "pyup.io-36780",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        },
        {
            "advisory": "Bokeh before 1.1.0 includes a handlebars security vulnerability [components: bokehjs & build]. NPM won't install.",
            "cve": null,
            "id": "pyup.io-37031",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        },
        {
            "advisory": "Bokeh 1.2.0 fixes a security vulnerabilities reported by npm audit.",
            "cve": null,
            "id": "pyup.io-37170",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "boss-cli": [
        {
            "advisory": "boss-cli 1.0.0alpha.18 fixes CVE-2018-7750 security vulnerability - https://github.com/kabirbaidhya/boss/pull/126",
            "cve": "CVE-2018-7750",
            "id": "pyup.io-36543",
            "specs": [
                "<1.0.0alpha.18"
            ],
            "v": "<1.0.0alpha.18"
        },
        {
            "advisory": "boss-cli 1.0.0alpha.20 fixes CVE-2018-18074 vulnerablility due to requests",
            "cve": null,
            "id": "pyup.io-36595",
            "specs": [
                "<1.0.0alpha.20"
            ],
            "v": "<1.0.0alpha.20"
        },
        {
            "advisory": "Boss-cli 1.0.0beta.6 uses yaml.FullLoader for loading yaml config and upgrades the dependency pyyaml (CVE-2017-18342).",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-37129",
            "specs": [
                "<1.0.0beta.6"
            ],
            "v": "<1.0.0beta.6"
        }
    ],
    "bottle": [
        {
            "advisory": "redirect() in bottle.py in bottle 0.12.10 doesn't filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.",
            "cve": "CVE-2016-9964",
            "id": "pyup.io-25642",
            "specs": [
                "<0.12.10"
            ],
            "v": "<0.12.10"
        },
        {
            "advisory": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.",
            "cve": "CVE-2014-3137",
            "id": "pyup.io-35548",
            "specs": [
                ">=0.10,<0.10.12",
                ">=0.11,<0.11.7",
                ">=0.12,<0.12.6"
            ],
            "v": ">=0.10,<0.10.12,>=0.11,<0.11.7,>=0.12,<0.12.6"
        }
    ],
    "boussole": [
        {
            "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.",
            "cve": null,
            "id": "pyup.io-37147",
            "specs": [
                "<1.5.0"
            ],
            "v": "<1.5.0"
        }
    ],
    "brasil.gov.portal": [
        {
            "advisory": "brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.",
            "cve": null,
            "id": "pyup.io-35086",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "bsblan": [
        {
            "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.",
            "cve": null,
            "id": "pyup.io-37697",
            "specs": [
                "<0.27"
            ],
            "v": "<0.27"
        }
    ],
    "buildbot": [
        {
            "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.",
            "cve": null,
            "id": "pyup.io-36320",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        },
        {
            "advisory": "Buildbot 1.8.2 fixes a vulnerability in OAuth where user-submitted authorization tokens are used for authentication. See: <https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication>.",
            "cve": null,
            "id": "pyup.io-37161",
            "specs": [
                "<1.8.2"
            ],
            "v": "<1.8.2"
        },
        {
            "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)",
            "cve": null,
            "id": "pyup.io-36865",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        },
        {
            "advisory": "Buildbot 2.3.1 fixes a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: <https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication>.",
            "cve": null,
            "id": "pyup.io-37160",
            "specs": [
                "<2.3.1"
            ],
            "v": "<2.3.1"
        }
    ],
    "bzip": [
        {
            "advisory": "bzip  is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34980",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "cairosvg": [
        {
            "advisory": "cairosvg 1.0.21 is a security update. CairoSVG was vulnerable to XML eXternal Entity (XXE) attacks, this release fixes this vulnerability by not resolving the XML entities anymore. The ``--unsafe`` option has been added to force the resolution of XML entities. Obviously, this option is not safe and should only be used with trusted SVG files.",
            "cve": null,
            "id": "pyup.io-25643",
            "specs": [
                "<1.0.21"
            ],
            "v": "<1.0.21"
        }
    ],
    "callisto-core": [
        {
            "advisory": "Callisto-core 0.27.9 includes some not further specified security updates.",
            "cve": null,
            "id": "pyup.io-37355",
            "specs": [
                "<0.27.9"
            ],
            "v": "<0.27.9"
        }
    ],
    "candig-server": [
        {
            "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.",
            "cve": null,
            "id": "pyup.io-37219",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        },
        {
            "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.",
            "cve": null,
            "id": "pyup.io-37218",
            "specs": [
                "<0.9.2"
            ],
            "v": "<0.9.2"
        },
        {
            "advisory": "Candig-server 1.0.2 updates WerkZeug to 0.15.5 to resolve its security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37467",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "cbapi": [
        {
            "advisory": "The underlying CbAPI connection class erroneously disabled hostname validation by default. This does *not* affect code that uses CbAPI through the public interfaces documented here; it only affects code that accesses the new  ``CbAPISessionAdapter`` class directly. This class was introduced in version 1.3.3. Regardless, it is strongly recommended that all users currently using 1.3.3 upgrade to 1.3.4.",
            "cve": null,
            "id": "pyup.io-34933",
            "specs": [
                ">=1.3.3,<1.3.4"
            ],
            "v": ">=1.3.3,<1.3.4"
        }
    ],
    "celery": [
        {
            "advisory": "Insecure default configuration The default accept_content setting was set to allow deserialization of pickled messages in Celery 4.0.0. The insecure default has been fixed in 4.0.1, and you can also configure the 4.0.0 version to explicitly only allow json serialized messages.",
            "cve": null,
            "id": "pyup.io-25646",
            "specs": [
                ">=4.0,<4.0.1"
            ],
            "v": ">=4.0,<4.0.1"
        }
    ],
    "cellxgene": [
        {
            "advisory": "Cellxgene 0.12.0 has Python and Javascript package updates, for both security and performance.",
            "cve": null,
            "id": "pyup.io-37801",
            "specs": [
                "<0.12.0"
            ],
            "v": "<0.12.0"
        }
    ],
    "centrifuge": [
        {
            "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.",
            "cve": null,
            "id": "pyup.io-25647",
            "specs": [
                "<0.3.8"
            ],
            "v": "<0.3.8"
        }
    ],
    "cerulean": [
        {
            "advisory": "cerulean 0.3.4 - Directory permissions when using mkdir(). This is a security issue, and you\r\n  should upgrade as soon as possible.",
            "cve": null,
            "id": "pyup.io-36796",
            "specs": [
                "<0.3.4"
            ],
            "v": "<0.3.4"
        }
    ],
    "cffconvert": [
        {
            "advisory": "cffconvert 1.0.3 updates requests from 2.18.4 to 2.20.0 (security bugfix)",
            "cve": null,
            "id": "pyup.io-36623",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        }
    ],
    "cfscrape": [
        {
            "advisory": "An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.",
            "cve": "CVE-2017-7235",
            "id": "pyup.io-35741",
            "specs": [
                ">=1.6.6,<1.7.1"
            ],
            "v": ">=1.6.6,<1.7.1"
        },
        {
            "advisory": "Please upgrade to 1.8.0 immediately.\r\n\r\nVersions 1.6.6 to 1.7.1 are vulnerable to code execution. If you are running a vulnerable version, a malicious website owner could craft a page which executes arbitrary Python code on the machine that runs this script. This can only occur if the website that the user attempts to scrape has specifically prepared a page to exploit vulnerable versions of cfscrape.",
            "cve": null,
            "id": "pyup.io-34275",
            "specs": [
                ">=1.6.6,<=1.8"
            ],
            "v": ">=1.6.6,<=1.8"
        }
    ],
    "chanjo-report": [
        {
            "advisory": "chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).",
            "cve": null,
            "id": "pyup.io-25648",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],
    "chaosloader": [
        {
            "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.",
            "cve": null,
            "id": "pyup.io-37048",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "charm-tools": [
        {
            "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).",
            "cve": null,
            "id": "pyup.io-37201",
            "specs": [
                "<2.6.0"
            ],
            "v": "<2.6.0"
        }
    ],
    "cheetah": [
        {
            "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.",
            "cve": null,
            "id": "pyup.io-25649",
            "specs": [
                "<0.9.17rc1"
            ],
            "v": "<0.9.17rc1"
        }
    ],
    "cheetah3": [
        {
            "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.",
            "cve": null,
            "id": "pyup.io-37134",
            "specs": [
                "<3.2.2"
            ],
            "v": "<3.2.2"
        }
    ],
    "cherrymusic": [
        {
            "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"",
            "cve": "CVE-2015-8309",
            "id": "pyup.io-25650",
            "specs": [
                "<0.36.0"
            ],
            "v": "<0.36.0"
        }
    ],
    "cinder": [
        {
            "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.",
            "cve": "CVE-2013-1068",
            "id": "pyup.io-25651",
            "specs": [
                "<2013.2.3"
            ],
            "v": "<2013.2.3"
        }
    ],
    "cipher.googlepam": [
        {
            "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.",
            "cve": null,
            "id": "pyup.io-25652",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "circup": [
        {
            "advisory": "circup 0.0.6 includes an unspecified security fix",
            "cve": null,
            "id": "pyup.io-37936",
            "specs": [
                "<0.0.6"
            ],
            "v": "<0.0.6"
        }
    ],
    "ckan": [
        {
            "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.",
            "cve": null,
            "id": "pyup.io-34556",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        },
        {
            "advisory": "ckan 1.8.1 fixes possible XSS vulnerability on html input.",
            "cve": null,
            "id": "pyup.io-34558",
            "specs": [
                "<1.8.1"
            ],
            "v": "<1.8.1"
        }
    ],
    "clam": [
        {
            "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.",
            "cve": null,
            "id": "pyup.io-25653",
            "specs": [
                "<0.9.10"
            ],
            "v": "<0.9.10"
        },
        {
            "advisory": "clam 0.9.11 contains unknown security fixes in dispatcher.",
            "cve": null,
            "id": "pyup.io-25654",
            "specs": [
                "<0.9.11"
            ],
            "v": "<0.9.11"
        }
    ],
    "clearsilver": [
        {
            "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.",
            "cve": "CVE-2011-4357",
            "id": "pyup.io-25655",
            "specs": [
                "<0.10.5"
            ],
            "v": "<0.10.5"
        }
    ],
    "client-sdk-python": [
        {
            "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.",
            "cve": null,
            "id": "pyup.io-37584",
            "specs": [
                "<4.7.0"
            ],
            "v": "<4.7.0"
        }
    ],
    "cloudinary": [
        {
            "advisory": "cloudinary before 1.0.21 is vulnerable to an XSS attack on cloudinary_cors.html.",
            "cve": null,
            "id": "pyup.io-34603",
            "specs": [
                "<1.0.21"
            ],
            "v": "<1.0.21"
        }
    ],
    "cmdlr": [
        {
            "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`",
            "cve": null,
            "id": "pyup.io-36854",
            "specs": [
                "<4.1.0"
            ],
            "v": "<4.1.0"
        }
    ],
    "cmsplugin-filer": [
        {
            "advisory": "cmsplugin-filer 1.0.0 contains an unknown XSS fix.",
            "cve": null,
            "id": "pyup.io-25656",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "cnx-publishing": [
        {
            "advisory": "Cnx-publishing 0.17.6 bumps urllib3 for a security fix.",
            "cve": null,
            "id": "pyup.io-38128",
            "specs": [
                "<0.17.6"
            ],
            "v": "<0.17.6"
        }
    ],
    "cockroachdb": [
        {
            "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.",
            "cve": null,
            "id": "pyup.io-37264",
            "specs": [
                "<0.3.2"
            ],
            "v": "<0.3.2"
        }
    ],
    "codalab": [
        {
            "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-36386",
            "specs": [
                "<0.2.33"
            ],
            "v": "<0.2.33"
        }
    ],
    "codecov": [
        {
            "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.",
            "cve": null,
            "id": "pyup.io-37934",
            "specs": [
                "<2.0.16"
            ],
            "v": "<2.0.16"
        },
        {
            "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.",
            "cve": null,
            "id": "pyup.io-38075",
            "specs": [
                "<2.0.17"
            ],
            "v": "<2.0.17"
        }
    ],
    "coinbasepro": [
        {
            "advisory": "coinbasepro 0.1.0 updates requests version to >=2.20.0 to address security vulnerability.",
            "cve": null,
            "id": "pyup.io-36975",
            "specs": [
                "<0.1.0"
            ],
            "v": "<0.1.0"
        }
    ],
    "coincurve": [
        {
            "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.",
            "cve": null,
            "id": "pyup.io-36299",
            "specs": [
                "<8.0.0"
            ],
            "v": "<8.0.0"
        }
    ],
    "colander": [
        {
            "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n  catastrophic backtracking that would have led to an infinite loop.",
            "cve": null,
            "id": "pyup.io-36856",
            "specs": [
                "<1.7.0"
            ],
            "v": "<1.7.0"
        }
    ],
    "collective-contact-core": [
        {
            "advisory": "collective-contact-core before 1.10",
            "cve": null,
            "id": "pyup.io-36089",
            "specs": [
                "<1.10"
            ],
            "v": "<1.10"
        }
    ],
    "collective-noticeboard": [
        {
            "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.",
            "cve": null,
            "id": "pyup.io-35879",
            "specs": [
                "<0.7.1"
            ],
            "v": "<0.7.1"
        }
    ],
    "collective.contact.core": [
        {
            "advisory": "collective.contact.core 1.10 fixes a security issue related to AddContact.",
            "cve": null,
            "id": "pyup.io-25657",
            "specs": [
                "<1.10"
            ],
            "v": "<1.10"
        }
    ],
    "collective.documentviewer": [
        {
            "advisory": "collective.documentviewer 1.5.1 fixes a security issue on file resources.",
            "cve": null,
            "id": "pyup.io-25658",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "collective.js.datatables": [
        {
            "advisory": "collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.",
            "cve": null,
            "id": "pyup.io-25659",
            "specs": [
                "<4.1.1"
            ],
            "v": "<4.1.1"
        }
    ],
    "collective.noticeboard": [
        {
            "advisory": "collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.",
            "cve": null,
            "id": "pyup.io-25660",
            "specs": [
                "<0.7.1"
            ],
            "v": "<0.7.1"
        }
    ],
    "collective.portlet.twitter": [
        {
            "advisory": "collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.",
            "cve": null,
            "id": "pyup.io-25661",
            "specs": [
                "<1.0b3"
            ],
            "v": "<1.0b3"
        }
    ],
    "collective.tablepage": [
        {
            "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.",
            "cve": null,
            "id": "pyup.io-25664",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "collective.xmpp.chat": [
        {
            "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.",
            "cve": null,
            "id": "pyup.io-25666",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        }
    ],
    "collins-client": [
        {
            "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset.  It also had a permission that restricted which users could read those encrypted tags.  It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure.  If you do not use the encrypted tags feature, you are not vulnerable to this problem.  If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission.  We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set.  Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.",
            "cve": null,
            "id": "pyup.io-25667",
            "specs": [
                "<2.1.0"
            ],
            "v": "<2.1.0"
        }
    ],
    "colonyscanalyser": [
        {
            "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.",
            "cve": null,
            "id": "pyup.io-37635",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "conference-scheduler-cli": [
        {
            "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.",
            "cve": "CVE-2018-14572",
            "id": "pyup.io-36425",
            "specs": [
                "<=0.10.1"
            ],
            "v": "<=0.10.1"
        }
    ],
    "confidant": [
        {
            "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.",
            "cve": null,
            "id": "pyup.io-26670",
            "specs": [
                "<1.1.13"
            ],
            "v": "<1.1.13"
        },
        {
            "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS  authentication vulnerability in the unreleased 1.1 branch while performing an  audit of the code. The vulnerability was introduced while adding the scoped auth  key feature (for limiting authentication keys and services to specific AWS  accounts), where the key was not properly checked after decryption. This check is  an additional verification to add additional safety on-top of the IAM policy of  your KMS keys. If IAM policy allows users to use KMS keys without limits on  encryption context, a KMS key that wasn't intended to be used for auth, could be  used for auth.",
            "cve": null,
            "id": "pyup.io-25668",
            "specs": [
                "<1.1.14"
            ],
            "v": "<1.1.14"
        },
        {
            "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.",
            "cve": null,
            "id": "pyup.io-37471",
            "specs": [
                "<5.0.0"
            ],
            "v": "<5.0.0"
        }
    ],
    "confidence": [
        {
            "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``",
            "cve": null,
            "id": "pyup.io-36308",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "confire": [
        {
            "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
            "cve": "CVE-2017-16763",
            "id": "pyup.io-35721",
            "specs": [
                "<=0.2.0"
            ],
            "v": "<=0.2.0"
        }
    ],
    "confluent-kafka": [
        {
            "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.",
            "cve": null,
            "id": "pyup.io-37508",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        },
        {
            "advisory": "Confluent-kafka 1.3.0 upgrades builtin lz4 to 1.9.2. See https://github.com/edenhill/librdkafka/issues/2598 and CVE-2019-17543.",
            "cve": "CVE-2019-17543",
            "id": "pyup.io-38072",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        }
    ],
    "conn-check": [
        {
            "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.",
            "cve": null,
            "id": "pyup.io-25669",
            "specs": [
                "<1.0.18"
            ],
            "v": "<1.0.18"
        }
    ],
    "container-service-extension": [
        {
            "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching",
            "cve": null,
            "id": "pyup.io-36876",
            "specs": [
                "<1.2.5"
            ],
            "v": "<1.2.5"
        },
        {
            "advisory": "Container-service-extension 2.5.0b1  updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.",
            "cve": null,
            "id": "pyup.io-37529",
            "specs": [
                "<2.5.0b1"
            ],
            "v": "<2.5.0b1"
        }
    ],
    "contentful": [
        {
            "advisory": "contentful 1.11.3 updates `requests` version due to a vulnerability found in versions `2.19` and below",
            "cve": null,
            "id": "pyup.io-36633",
            "specs": [
                "<1.11.3"
            ],
            "v": "<1.11.3"
        }
    ],
    "contentful-management": [
        {
            "advisory": "contentful-management 2.5.0 updates `requests` version due to a vulnerability found in versions `2.19` and below.",
            "cve": null,
            "id": "pyup.io-36599",
            "specs": [
                "<2.5.0"
            ],
            "v": "<2.5.0"
        }
    ],
    "contestms": [
        {
            "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.",
            "cve": null,
            "id": "pyup.io-34249",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "cookie-manager": [
        {
            "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.",
            "cve": null,
            "id": "pyup.io-38106",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        }
    ],
    "cookiecutter": [
        {
            "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6",
            "cve": null,
            "id": "pyup.io-34683",
            "specs": [
                "<0.1.0"
            ],
            "v": "<0.1.0"
        },
        {
            "advisory": "Cookiecutter 0.3.1 updates Pillow version to 3.2.0 (security fix).",
            "cve": null,
            "id": "pyup.io-27445",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        },
        {
            "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.",
            "cve": null,
            "id": "pyup.io-37672",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "cosmos-wfm": [
        {
            "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).",
            "cve": null,
            "id": "pyup.io-34181",
            "specs": [
                "<2.1.1"
            ],
            "v": "<2.1.1"
        }
    ],
    "coveralls": [
        {
            "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.",
            "cve": null,
            "id": "pyup.io-25671",
            "specs": [
                "<0.1.1"
            ],
            "v": "<0.1.1"
        }
    ],
    "cplay-ng": [
        {
            "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.",
            "cve": null,
            "id": "pyup.io-25672",
            "specs": [
                "<1.50"
            ],
            "v": "<1.50"
        }
    ],
    "creavel": [
        {
            "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25673",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        },
        {
            "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.",
            "cve": null,
            "id": "pyup.io-25674",
            "specs": [
                "<0.14.0"
            ],
            "v": "<0.14.0"
        }
    ],
    "credstash": [
        {
            "advisory": "credstash 1.16.0 updates to pyyaml>=4.2b1 due to security vulnerability in older versions",
            "cve": null,
            "id": "pyup.io-37852",
            "specs": [
                "<1.16.0"
            ],
            "v": "<1.16.0"
        }
    ],
    "creopyson": [
        {
            "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.",
            "cve": null,
            "id": "pyup.io-37964",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        }
    ],
    "cromwell-tools": [
        {
            "advisory": "cromwell-tools 1.0.0 updates requests to avoid security issues.",
            "cve": null,
            "id": "pyup.io-36659",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "crossbar": [
        {
            "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.",
            "cve": null,
            "id": "pyup.io-25675",
            "specs": [
                "<0.15.0"
            ],
            "v": "<0.15.0"
        },
        {
            "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.",
            "cve": null,
            "id": "pyup.io-25676",
            "specs": [
                "<0.6.4"
            ],
            "v": "<0.6.4"
        }
    ],
    "crypt": [
        {
            "advisory": "crypt  is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34981",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "cryptacular": [
        {
            "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.",
            "cve": null,
            "id": "pyup.io-25677",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "cryptography": [
        {
            "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA  to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.",
            "cve": null,
            "id": "pyup.io-25678",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        },
        {
            "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use  of assertions to check response codes where our tests could not trigger a  failure.  However, when Python is run with ``-O`` these asserts are optimized  away.  If a user ran Python with this flag and got an invalid response code  this could result in undefined behavior or worse. Accordingly, all response  checks from the OpenSSL backend have been converted from ``assert``  to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)**  for the report.",
            "cve": null,
            "id": "pyup.io-25679",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        },
        {
            "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.",
            "cve": "CVE-2016-9243",
            "id": "pyup.io-25680",
            "specs": [
                "<1.5.3"
            ],
            "v": "<1.5.3"
        },
        {
            "advisory": "python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.",
            "cve": "CVE-2018-10903",
            "id": "pyup.io-36351",
            "specs": [
                ">=1.9.0,<2.3"
            ],
            "v": ">=1.9.0,<2.3"
        }
    ],
    "cryptography-vectors": [
        {
            "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently  unreleased) CFFI versions greater than 1.1.0.",
            "cve": null,
            "id": "pyup.io-25681",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        },
        {
            "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use  of assertions to check response codes where our tests could not trigger a  failure.  However, when Python is run with ``-O`` these asserts are optimized  away.  If a user ran Python with this flag and got an invalid response code  this could result in undefined behavior or worse. Accordingly, all response  checks from the OpenSSL backend have been converted from ``assert``  to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)**  for the report.",
            "cve": null,
            "id": "pyup.io-25682",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        },
        {
            "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.",
            "cve": "CVE-2016-9243",
            "id": "pyup.io-25683",
            "specs": [
                "<1.5.3"
            ],
            "v": "<1.5.3"
        }
    ],
    "cssutils": [
        {
            "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)",
            "cve": null,
            "id": "pyup.io-25684",
            "specs": [
                "<0.9.6a2"
            ],
            "v": "<0.9.6a2"
        }
    ],
    "cumin": [
        {
            "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.",
            "cve": "CVE-2012-1575",
            "id": "pyup.io-35357",
            "specs": [
                "<r5238"
            ],
            "v": "<r5238"
        }
    ],
    "cupy": [
        {
            "advisory": "`cupy.load` in cupy 7.0.0b2 specifies `allow_pickle=False` by default to follow the security fix made in NumPy 1.16.3 (see https://github.com/numpy/numpy/pull/13359 and https://github.com/cupy/cupy/pull/2290). Most users should not be affected by this change; users loading `ndarray` serialized using pickle may need to explicitly specify `allow_pickle=True`.",
            "cve": null,
            "id": "pyup.io-37395",
            "specs": [
                "<7.0.0b2"
            ],
            "v": "<7.0.0b2"
        }
    ],
    "datacube": [
        {
            "advisory": "datacube 1.6.2 is a Patch release to build a new Docker container, to resolve an upstream security bug.",
            "cve": null,
            "id": "pyup.io-36835",
            "specs": [
                "<1.6.2"
            ],
            "v": "<1.6.2"
        }
    ],
    "dateable-chronos": [
        {
            "advisory": "dateable-chronos before 0.7.2 fixed a XSS vulnerability in the get_view_day method.",
            "cve": null,
            "id": "pyup.io-35988",
            "specs": [
                "<0.7.2"
            ],
            "v": "<0.7.2"
        }
    ],
    "dateable.chronos": [
        {
            "advisory": "dateable.chronos 0.7.2 fixes a XSS vulnerability in the get_view_day method.",
            "cve": null,
            "id": "pyup.io-25685",
            "specs": [
                "<0.7.2"
            ],
            "v": "<0.7.2"
        }
    ],
    "datera-cinder": [
        {
            "advisory": "Datera-cinder 2018.10.30.0 updates the required requests version to >=2.20.0 because of a security vulnerability in <=2.19.X.",
            "cve": null,
            "id": "pyup.io-37204",
            "specs": [
                "<2018.10.30.0"
            ],
            "v": "<2018.10.30.0"
        }
    ],
    "ddtrace": [
        {
            "advisory": "ddtrace  0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.",
            "cve": null,
            "id": "pyup.io-35790",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        }
    ],
    "debianized-jupyterhub": [
        {
            "advisory": "debianized-jupyterhub 0.9.51 updates to release 0.9.5 + NB 5.7.7 (fix for Open Redirect vulnerability)",
            "cve": null,
            "id": "pyup.io-37002",
            "specs": [
                "<0.9.51"
            ],
            "v": "<0.9.51"
        }
    ],
    "debops": [
        {
            "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.",
            "cve": null,
            "id": "pyup.io-36371",
            "specs": [
                "<0.8.0"
            ],
            "v": "<0.8.0"
        },
        {
            "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: <https://www.patreon.com/posts/dpa-new-signing-25451165>.",
            "cve": null,
            "id": "pyup.io-37159",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        },
        {
            "advisory": "The :command:`lxc-prepare-ssh` script in debops 1.1.0 will no longer install SSH keys from the LXC host ``root`` account on the LXC container ``root`` account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.",
            "cve": null,
            "id": "pyup.io-37404",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        },
        {
            "advisory": "In debops 1.2.0:\r\n- The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry`` Ansible modules is deprecated due to their insecure nature.\r\n- The CVE-2019-11043 vulnerability has been mitigated in the :command:`nginx` ``php`` and ``php5`` configuration templates. The mitigation is based on the `suggested workaround`__ from the PHP Bug Tracker.\r\n- A security patch for the CVE-2019-11043 vulnerability has been applied in the Nextcloud configuration for the :ref:`debops.nginx` role. The patch is based on the `fix suggested by upstream`.",
            "cve": "CVE-2019-11043",
            "id": "pyup.io-37733",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        },
        {
            "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.",
            "cve": null,
            "id": "pyup.io-26403",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        }
    ],
    "decaptcha": [
        {
            "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0",
            "cve": null,
            "id": "pyup.io-37892",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        },
        {
            "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0",
            "cve": null,
            "id": "pyup.io-37891",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "definitions": [
        {
            "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.",
            "cve": "CVE-2018-20325",
            "id": "pyup.io-36752",
            "specs": [
                "<=0.2.0"
            ],
            "v": "<=0.2.0"
        }
    ],
    "defusedexpat": [
        {
            "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
            "cve": "CVE-2013-1664",
            "id": "pyup.io-33054",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        },
        {
            "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
            "cve": "CVE-2013-1665",
            "id": "pyup.io-33055",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "defusedxml": [
        {
            "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
            "cve": "CVE-2013-1664",
            "id": "pyup.io-33056",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        },
        {
            "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.",
            "cve": "CVE-2013-1665",
            "id": "pyup.io-33057",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "deis": [
        {
            "advisory": "deis before 1.3.1 has SSLv3 enabled which has known security issues. See CVE-2014-3566.",
            "cve": null,
            "id": "pyup.io-25691",
            "specs": [
                "<1.3.1"
            ],
            "v": "<1.3.1"
        }
    ],
    "deltachat": [
        {
            "advisory": "deltachat 1.0.0beta.2 has several security fixes",
            "cve": null,
            "id": "pyup.io-37922",
            "specs": [
                "<1.0.0beta.2"
            ],
            "v": "<1.0.0beta.2"
        }
    ],
    "deluge": [
        {
            "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.",
            "cve": null,
            "id": "pyup.io-37155",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        }
    ],
    "destringcare": [
        {
            "advisory": "destringcare 0.0.4 change: Removed `pycrypto` due to security issue",
            "cve": null,
            "id": "pyup.io-37228",
            "specs": [
                "<0.0.4"
            ],
            "v": "<0.0.4"
        }
    ],
    "directory-components": [
        {
            "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.",
            "cve": null,
            "id": "pyup.io-37298",
            "specs": [
                "<25.0.1"
            ],
            "v": "<25.0.1"
        }
    ],
    "discogs-client": [
        {
            "advisory": "discogs-client 2.2.2 updates dependencies to resolve security vulnerabilities",
            "cve": null,
            "id": "pyup.io-36787",
            "specs": [
                "<2.2.2"
            ],
            "v": "<2.2.2"
        }
    ],
    "djangae": [
        {
            "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).",
            "cve": null,
            "id": "pyup.io-25693",
            "specs": [
                "<0.9.4"
            ],
            "v": "<0.9.4"
        }
    ],
    "django": [
        {
            "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.",
            "cve": "CVE-2009-2659",
            "id": "pyup.io-25694",
            "specs": [
                "<1.0"
            ],
            "v": "<1.0"
        },
        {
            "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.",
            "cve": "CVE-2009-3695",
            "id": "pyup.io-25695",
            "specs": [
                "<1.0.4",
                ">=1.1,<1.1.1"
            ],
            "v": "<1.0.4,>=1.1,<1.1.1"
        },
        {
            "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.",
            "cve": "CVE-2010-4534",
            "id": "pyup.io-33058",
            "specs": [
                "<1.1.3",
                ">=1.2,<1.2.4"
            ],
            "v": "<1.1.3,>=1.2,<1.2.4"
        },
        {
            "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.",
            "cve": "CVE-2010-4535",
            "id": "pyup.io-33059",
            "specs": [
                "<1.1.3",
                ">=1.2,<1.2.4"
            ],
            "v": "<1.1.3,>=1.2,<1.2.4"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.",
            "cve": "CVE-2011-0697",
            "id": "pyup.io-33061",
            "specs": [
                "<1.1.4"
            ],
            "v": "<1.1.4"
        },
        {
            "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.",
            "cve": "CVE-2011-0696",
            "id": "pyup.io-33060",
            "specs": [
                "<1.1.4",
                ">=1.2,<1.2.5"
            ],
            "v": "<1.1.4,>=1.2,<1.2.5"
        },
        {
            "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.",
            "cve": "CVE-2011-0698",
            "id": "pyup.io-33062",
            "specs": [
                "<1.1.4",
                ">=1.2,<1.2.5"
            ],
            "v": "<1.1.4,>=1.2,<1.2.5"
        },
        {
            "advisory": "django 1.11.18 fixes a security issue in 1.11.17 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.",
            "cve": null,
            "id": "pyup.io-36771",
            "specs": [
                "<1.11.18,>=1.11.17"
            ],
            "v": "<1.11.18,>=1.11.17"
        },
        {
            "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
            "cve": "CVE-2019-6975",
            "id": "pyup.io-36885",
            "specs": [
                "<1.11.19,>=1.11.0"
            ],
            "v": "<1.11.19,>=1.11.0"
        },
        {
            "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.",
            "cve": "CVE-2019-12781",
            "id": "pyup.io-37261",
            "specs": [
                "<1.11.22,>1.11",
                "<2.1.10,>2.1",
                "<2.2.3,>2.2"
            ],
            "v": "<1.11.22,>1.11,<2.1.10,>2.1,<2.2.3,>2.2"
        },
        {
            "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.",
            "cve": null,
            "id": "pyup.io-37259",
            "specs": [
                "<1.11.22,>1.11.21"
            ],
            "v": "<1.11.22,>1.11.21"
        },
        {
            "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.",
            "cve": "CVE-2019-19844",
            "id": "pyup.io-37771",
            "specs": [
                "<1.11.27",
                ">=2.0,<2.2.9",
                ">=3.0,<3.0.1"
            ],
            "v": "<1.11.27,>=2.0,<2.2.9,>=3.0,<3.0.1"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.",
            "cve": "CVE-2010-3082",
            "id": "pyup.io-25701",
            "specs": [
                "<1.2.2"
            ],
            "v": "<1.2.2"
        },
        {
            "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.",
            "cve": "CVE-2011-4136",
            "id": "pyup.io-33063",
            "specs": [
                "<1.2.7",
                ">=1.3,<1.3.1"
            ],
            "v": "<1.2.7,>=1.3,<1.3.1"
        },
        {
            "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.",
            "cve": "CVE-2011-4137",
            "id": "pyup.io-33064",
            "specs": [
                "<1.2.7",
                ">=1.3,<1.3.1"
            ],
            "v": "<1.2.7,>=1.3,<1.3.1"
        },
        {
            "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.",
            "cve": "CVE-2011-4138",
            "id": "pyup.io-33065",
            "specs": [
                "<1.2.7",
                ">=1.3,<1.3.1"
            ],
            "v": "<1.2.7,>=1.3,<1.3.1"
        },
        {
            "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.",
            "cve": "CVE-2011-4140",
            "id": "pyup.io-33066",
            "specs": [
                "<1.2.7",
                ">=1.3,<1.3.1"
            ],
            "v": "<1.2.7,>=1.3,<1.3.1"
        },
        {
            "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.",
            "cve": "CVE-2012-3442",
            "id": "pyup.io-33067",
            "specs": [
                "<1.3.2",
                ">=1.4,<1.4.1"
            ],
            "v": "<1.3.2,>=1.4,<1.4.1"
        },
        {
            "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.",
            "cve": "CVE-2012-3443",
            "id": "pyup.io-33068",
            "specs": [
                "<1.3.2",
                ">=1.4,<1.4.1"
            ],
            "v": "<1.3.2,>=1.4,<1.4.1"
        },
        {
            "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.",
            "cve": "CVE-2012-3444",
            "id": "pyup.io-33069",
            "specs": [
                "<1.3.2",
                ">=1.4,<1.4.1"
            ],
            "v": "<1.3.2,>=1.4,<1.4.1"
        },
        {
            "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.",
            "cve": "CVE-2012-4520",
            "id": "pyup.io-25709",
            "specs": [
                "<1.3.4",
                ">=1.4,<1.4.2"
            ],
            "v": "<1.3.4,>=1.4,<1.4.2"
        },
        {
            "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
            "cve": "CVE-2015-0220",
            "id": "pyup.io-33071",
            "specs": [
                "<1.4.18",
                ">=1.6,<1.6.10",
                ">=1.7,<1.7.3"
            ],
            "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3"
        },
        {
            "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.",
            "cve": "CVE-2015-0221",
            "id": "pyup.io-33072",
            "specs": [
                "<1.4.18",
                ">=1.6,<1.6.10",
                ">=1.7,<1.7.3"
            ],
            "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3"
        },
        {
            "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.",
            "cve": "CVE-2015-0219",
            "id": "pyup.io-33070",
            "specs": [
                "<1.4.18",
                ">=1.7,<1.7.3",
                ">=1.6,<1.6.10"
            ],
            "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10"
        },
        {
            "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
            "cve": "CVE-2016-2513",
            "id": "pyup.io-33074",
            "specs": [
                "<1.8.10",
                ">=1.9,<1.9.3"
            ],
            "v": "<1.8.10,>=1.9,<1.9.3"
        },
        {
            "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
            "cve": "CVE-2016-2512",
            "id": "pyup.io-33073",
            "specs": [
                "<1.8.10",
                ">=1.9,<1.9.3"
            ],
            "v": "<1.8.10,>=1.9,<1.9.3"
        },
        {
            "advisory": "Django 2.0.x before 2.0.11 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
            "cve": "CVE-2019-6975",
            "id": "pyup.io-36884",
            "specs": [
                "<2.0.11,>=2.0.0"
            ],
            "v": "<2.0.11,>=2.0.0"
        },
        {
            "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.",
            "cve": "CVE-2018-16984",
            "id": "pyup.io-36522",
            "specs": [
                "<2.1.2,>=2.1"
            ],
            "v": "<2.1.2,>=2.1"
        },
        {
            "advisory": "django before 2.1.2 fixes a security bug in 2.1.x. \r\nIf an admin user has the change permission to the user model, only part of the\r\npassword hash is displayed in the change form. Admin users with the view (but\r\nnot change) permission to the user model were displayed the entire hash.",
            "cve": "CVE-2018-16984",
            "id": "pyup.io-36517",
            "specs": [
                "<2.1.2,>=2.1.0"
            ],
            "v": "<2.1.2,>=2.1.0"
        },
        {
            "advisory": "django 2.1.5 fixes a security issue in 2.1.4 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.",
            "cve": "CVE-2019-3498",
            "id": "pyup.io-36769",
            "specs": [
                "<2.1.5,>=2.1.4"
            ],
            "v": "<2.1.5,>=2.1.4"
        },
        {
            "advisory": "Django 2.1.x before 2.1.6  allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
            "cve": "CVE-2019-6975",
            "id": "pyup.io-36883",
            "specs": [
                "<2.1.6,>=2.1.0"
            ],
            "v": "<2.1.6,>=2.1.0"
        },
        {
            "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash.",
            "cve": null,
            "id": "pyup.io-36359",
            "specs": [
                "==1.11.14"
            ],
            "v": "==1.11.14"
        },
        {
            "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).",
            "cve": null,
            "id": "pyup.io-37186",
            "specs": [
                "==1.11.20"
            ],
            "v": "==1.11.20"
        },
        {
            "advisory": "Django 1.11.23 fixes the following security issues in 1.11.22: CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, and CVE-2019-14235.",
            "cve": "CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235",
            "id": "pyup.io-37326",
            "specs": [
                "==1.11.22"
            ],
            "v": "==1.11.22"
        },
        {
            "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.",
            "cve": null,
            "id": "pyup.io-37663",
            "specs": [
                "==1.11.26"
            ],
            "v": "==1.11.26"
        },
        {
            "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via ``StringAgg(delimiter)``. See: CVE-2020-7471.",
            "cve": "CVE-2020-7471",
            "id": "pyup.io-37817",
            "specs": [
                "==1.11.27"
            ],
            "v": "==1.11.27"
        },
        {
            "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash",
            "cve": null,
            "id": "pyup.io-36358",
            "specs": [
                "==2.0.7"
            ],
            "v": "==2.0.7"
        },
        {
            "advisory": "django 2.0.10 fixes a security issue - CVE-2019-3498 - where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.",
            "cve": "CVE-2019-3498",
            "id": "pyup.io-36770",
            "specs": [
                "==2.0.9"
            ],
            "v": "==2.0.9"
        },
        {
            "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``",
            "cve": "CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, CVE-2019-14235",
            "id": "pyup.io-37325",
            "specs": [
                "==2.1.10"
            ],
            "v": "==2.1.10"
        },
        {
            "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.",
            "cve": "CVE-2019-19118",
            "id": "pyup.io-37657",
            "specs": [
                "==2.1.14"
            ],
            "v": "==2.1.14"
        },
        {
            "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS) and it includes a patched bundled jQuery for CVE-2019-11358 (Prototype pollution).",
            "cve": "CVE-2019-12308, CVE-2019-11358",
            "id": "pyup.io-37185",
            "specs": [
                "==2.1.8"
            ],
            "v": "==2.1.8"
        },
        {
            "advisory": "Django 2.1.10 fixes a security issue in 2.1.9. CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle",
            "cve": "CVE-2020-9402",
            "id": "pyup.io-37258",
            "specs": [
                "==2.1.9"
            ],
            "v": "==2.1.9"
        },
        {
            "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS) and it includes a patched bundled jQuery for CVE-2019-11358 (Prototype pollution).",
            "cve": "CVE-2019-12308, CVE-2019-11358",
            "id": "pyup.io-37184",
            "specs": [
                "==2.2.1"
            ],
            "v": "==2.2.1"
        },
        {
            "advisory": "Django 2.2.11 fixes a security issue in 2.2.10. Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle. See CVE-2020-9402.",
            "cve": "CVE-2020-9402",
            "id": "pyup.io-37969",
            "specs": [
                "==2.2.10"
            ],
            "v": "==2.2.10"
        },
        {
            "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.",
            "cve": "CVE-2019-12781",
            "id": "pyup.io-37324",
            "specs": [
                "==2.2.2"
            ],
            "v": "==2.2.2"
        },
        {
            "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``",
            "cve": "CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, CVE-2019-14235",
            "id": "pyup.io-37323",
            "specs": [
                "==2.2.3"
            ],
            "v": "==2.2.3"
        },
        {
            "advisory": "Django 2.2.8 fixes CVE-2019-19118 in 2.2.7: Privilege escalation in the Django admin.",
            "cve": "CVE-2019-19118",
            "id": "pyup.io-37656",
            "specs": [
                "==2.2.7"
            ],
            "v": "==2.2.7"
        },
        {
            "advisory": "Django 2.2.9 fixes CVE-2019-19844 in 2.2.8: potential account hijack via password reset form.",
            "cve": null,
            "id": "pyup.io-37662",
            "specs": [
                "==2.2.8"
            ],
            "v": "==2.2.8"
        },
        {
            "advisory": "Django 2.2.10 fixes a security issue in 2.2.9. Potential SQL injection via ``StringAgg(delimiter)``. See CVE-2020-7471.",
            "cve": "CVE-2020-7471",
            "id": "pyup.io-37816",
            "specs": [
                "==2.2.9"
            ],
            "v": "==2.2.9"
        },
        {
            "advisory": "Django 3.0.1 fixes CVE-2019-19844 in 3.0: potential account hijack via password reset form.",
            "cve": "CVE-2019-19844",
            "id": "pyup.io-37661",
            "specs": [
                "==3.0"
            ],
            "v": "==3.0"
        },
        {
            "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via ``StringAgg(delimiter)``. See: CVE-2020-7471.",
            "cve": "CVE-2020-7471",
            "id": "pyup.io-37815",
            "specs": [
                "==3.0.2"
            ],
            "v": "==3.0.2"
        },
        {
            "advisory": "Django 3.0.4 fixes a security issue in 3.0.3: potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle.",
            "cve": "CVE-2020-9402",
            "id": "pyup.io-27043",
            "specs": [
                "==3.0.3"
            ],
            "v": "==3.0.3"
        },
        {
            "advisory": "Django 3.0.4 fixes a security issue in 3.0.3. Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle. See CVE-2020-9402.",
            "cve": null,
            "id": "pyup.io-37968",
            "specs": [
                "==3.0.3"
            ],
            "v": "==3.0.3"
        },
        {
            "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================",
            "cve": null,
            "id": "pyup.io-25722",
            "specs": [
                ">=1.10,<1.10.3"
            ],
            "v": ">=1.10,<1.10.3"
        },
        {
            "advisory": "CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases  (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.",
            "cve": null,
            "id": "pyup.io-33300",
            "specs": [
                ">=1.10,<1.10.7"
            ],
            "v": ">=1.10,<1.10.7"
        },
        {
            "advisory": "Django 1.10.8 fixes a security issue in 1.10.7.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.",
            "cve": null,
            "id": "pyup.io-34918",
            "specs": [
                ">=1.10,<1.10.8"
            ],
            "v": ">=1.10,<1.10.8"
        },
        {
            "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.",
            "cve": "CVE-2020-7471",
            "id": "pyup.io-37970",
            "specs": [
                ">=1.11,<1.11.28",
                ">=2.2,<2.2.10",
                ">=3.0,<3.0.3"
            ],
            "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3"
        },
        {
            "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.",
            "cve": null,
            "id": "pyup.io-34917",
            "specs": [
                ">=1.11,<1.11.5"
            ],
            "v": ">=1.11,<1.11.5"
        },
        {
            "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.",
            "cve": "CVE-2018-14574",
            "id": "pyup.io-36368",
            "specs": [
                ">=1.11.0,<1.11.15",
                ">=2.0.0,<2.0.8"
            ],
            "v": ">=1.11.0,<1.11.15,>=2.0.0,<2.0.8"
        },
        {
            "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.",
            "cve": "CVE-2019-12308",
            "id": "pyup.io-37191",
            "specs": [
                ">=1.11.0,<1.11.21",
                ">=2.1,<2.1.9",
                ">=2.2,<2.2.2"
            ],
            "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2"
        },
        {
            "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.",
            "cve": "CVE-2019-14234",
            "id": "pyup.io-37357",
            "specs": [
                ">=1.11.0,<1.11.23",
                ">=2.1.0,<2.1.11",
                ">=2.2.0,<2.2.4"
            ],
            "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
        },
        {
            "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.",
            "cve": "CVE-2019-14235",
            "id": "pyup.io-37331",
            "specs": [
                ">=1.11.0,<1.11.23",
                ">=2.1.0,<2.1.11",
                ">=2.2.0,<2.2.4"
            ],
            "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
        },
        {
            "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.",
            "cve": "CVE-2019-14233",
            "id": "pyup.io-37330",
            "specs": [
                ">=1.11.0,<1.11.23",
                ">=2.1.0,<2.1.11",
                ">=2.2.0,<2.2.4"
            ],
            "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
        },
        {
            "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
            "cve": "CVE-2019-14232",
            "id": "pyup.io-37329",
            "specs": [
                ">=1.11.0,<1.11.23",
                ">=2.1.0,<2.1.11",
                ">=2.2.0,<2.2.4"
            ],
            "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4"
        },
        {
            "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See CVE-2020-9402.",
            "cve": "CVE-2020-9402",
            "id": "pyup.io-38010",
            "specs": [
                ">=1.11.0,<1.11.29",
                ">=2.2.0,<2.2.11",
                ">=3.0.0,<3.0.4"
            ],
            "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4"
        },
        {
            "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.",
            "cve": null,
            "id": "pyup.io-35174",
            "specs": [
                ">=1.11.8,<1.11.10"
            ],
            "v": ">=1.11.8,<1.11.10"
        },
        {
            "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.",
            "cve": "CVE-2013-0305",
            "id": "pyup.io-33111",
            "specs": [
                ">=1.3,<1.3.6",
                ">=1.4,<1.4.4",
                ">=1.5,<1.5.1"
            ],
            "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1"
        },
        {
            "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.",
            "cve": "CVE-2013-0306",
            "id": "pyup.io-33112",
            "specs": [
                ">=1.3,<1.3.6",
                ">=1.4,<1.4.4",
                ">=1.5,<1.5.1"
            ],
            "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1"
        },
        {
            "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.",
            "cve": "CVE-2015-5964",
            "id": "pyup.io-25728",
            "specs": [
                ">=1.4,<1.4.22",
                ">=1.7,<1.7.10"
            ],
            "v": ">=1.4,<1.4.22,>=1.7,<1.7.10"
        },
        {
            "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.",
            "cve": "CVE-2015-5963",
            "id": "pyup.io-25727",
            "specs": [
                ">=1.4,<1.4.22",
                ">=1.7,<1.7.10",
                ">=1.8,<1.8.4"
            ],
            "v": ">=1.4,<1.4.22,>=1.7,<1.7.10,>=1.8,<1.8.4"
        },
        {
            "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.",
            "cve": "CVE-2013-1443",
            "id": "pyup.io-25729",
            "specs": [
                ">=1.6,<1.6-beta-4",
                ">=1.4,<1.4.8",
                ">=1.5,<1.5.4"
            ],
            "v": ">=1.6,<1.6-beta-4,>=1.4,<1.4.8,>=1.5,<1.5.4"
        },
        {
            "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.",
            "cve": "CVE-2015-0222",
            "id": "pyup.io-25730",
            "specs": [
                ">=1.7,<1.7.3",
                ">=1.6,<1.6.10"
            ],
            "v": ">=1.7,<1.7.3,>=1.6,<1.6.10"
        },
        {
            "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.",
            "cve": "CVE-2015-2316",
            "id": "pyup.io-25731",
            "specs": [
                ">=1.7,<1.7.7",
                ">=1.8,<1.8c1",
                ">=1.6,<1.6.11"
            ],
            "v": ">=1.7,<1.7.7,>=1.8,<1.8c1,>=1.6,<1.6.11"
        },
        {
            "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.",
            "cve": "CVE-2015-5143",
            "id": "pyup.io-25725",
            "specs": [
                ">=1.7,<1.7.9",
                ">=1.5,<1.7",
                ">=1.4,<1.4.21"
            ],
            "v": ">=1.7,<1.7.9,>=1.5,<1.7,>=1.4,<1.4.21"
        },
        {
            "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.",
            "cve": "CVE-2016-9014",
            "id": "pyup.io-33075",
            "specs": [
                ">=1.8,<1.8.16",
                ">=1.9,<1.9.11",
                ">=1.10,<1.10.3"
            ],
            "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
        },
        {
            "advisory": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.",
            "cve": "CVE-2016-9013",
            "id": "pyup.io-33076",
            "specs": [
                ">=1.8,<1.8.16",
                ">=1.9,<1.9.11",
                ">=1.10,<1.10.3"
            ],
            "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
        },
        {
            "advisory": "Django 1.8.18 fixes two security issues in 1.8.17.\r\n\r\nCVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases  (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.",
            "cve": null,
            "id": "pyup.io-33301",
            "specs": [
                ">=1.8,<1.8.18"
            ],
            "v": ">=1.8,<1.8.18"
        },
        {
            "advisory": "The ``django.utils.html.urlize()`` function was extremely slow to evaluate\r\ncertain inputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``urlize()`` function is used to implement the ``urlize`` and\r\n``urlizetrunc`` template filters, which were thus vulnerable.\r\n\r\nThe problematic regular expression is replaced with parsing logic that behaves\r\nsimilarly.",
            "cve": "CVE-2018-7536",
            "id": "pyup.io-35797",
            "specs": [
                ">=1.8,<1.8.19",
                ">=1.11,<1.11.11",
                ">=2.0,<2.0.3"
            ],
            "v": ">=1.8,<1.8.19,>=1.11,<1.11.11,>=2.0,<2.0.3"
        },
        {
            "advisory": "If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were\r\npassed the ``html=True`` argument, they were extremely slow to evaluate certain\r\ninputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``chars()`` and ``words()`` methods are used to implement the\r\n``truncatechars_html`` and ``truncatewords_html`` template filters, which were\r\nthus vulnerable.",
            "cve": "CVE-2018-7537",
            "id": "pyup.io-35796",
            "specs": [
                ">=1.8,<1.8.19",
                ">=1.11,<1.11.11",
                ">=2.0,<2.0.3"
            ],
            "v": ">=1.8,<1.8.19,>=1.11,<1.11.11,>=2.0,<2.0.3"
        },
        {
            "advisory": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.",
            "cve": "CVE-2015-3982",
            "id": "pyup.io-25732",
            "specs": [
                ">=1.8,<1.8.2"
            ],
            "v": ">=1.8,<1.8.2"
        },
        {
            "advisory": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
            "cve": "CVE-2015-5145",
            "id": "pyup.io-25733",
            "specs": [
                ">=1.8,<1.8.3"
            ],
            "v": ">=1.8,<1.8.3"
        },
        {
            "advisory": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.",
            "cve": "CVE-2015-5144",
            "id": "pyup.io-25726",
            "specs": [
                ">=1.8,<1.8.3",
                ">=1.7,<1.7.9",
                ">=1.5,<1.6",
                ">=1.4,<1.4.21"
            ],
            "v": ">=1.8,<1.8.3,>=1.7,<1.7.9,>=1.5,<1.6,>=1.4,<1.4.21"
        },
        {
            "advisory": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.",
            "cve": "CVE-2015-8213",
            "id": "pyup.io-25714",
            "specs": [
                ">=1.8,<1.8.7",
                "<1.7.11",
                ">=1.9,<1.9rc2"
            ],
            "v": ">=1.8,<1.8.7,<1.7.11,>=1.9,<1.9rc2"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.",
            "cve": "CVE-2015-2241",
            "id": "pyup.io-25715",
            "specs": [
                ">=1.8,<1.8b2",
                "<1.7.6"
            ],
            "v": ">=1.8,<1.8b2,<1.7.6"
        },
        {
            "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.",
            "cve": "CVE-2015-2317",
            "id": "pyup.io-25713",
            "specs": [
                ">=1.8,<1.8c1",
                "<1.4.20",
                ">=1.5,<1.6",
                ">=1.6,<1.6.11",
                ">=1.7,<1.7.7"
            ],
            "v": ">=1.8,<1.8c1,<1.4.20,>=1.5,<1.6,>=1.6,<1.6.11,>=1.7,<1.7.7"
        },
        {
            "advisory": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
            "cve": "CVE-2016-7401",
            "id": "pyup.io-25718",
            "specs": [
                ">=1.9,<1.9.10",
                "<1.8.15"
            ],
            "v": ">=1.9,<1.9.10,<1.8.15"
        },
        {
            "advisory": "Django 1.9.11 fixes two security issues in 1.9.10.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================",
            "cve": null,
            "id": "pyup.io-25734",
            "specs": [
                ">=1.9,<1.9.11"
            ],
            "v": ">=1.9,<1.9.11"
        },
        {
            "advisory": "Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final\r\nrelease of the 1.9.x series.\r\n\r\nCVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases  (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.",
            "cve": null,
            "id": "pyup.io-33302",
            "specs": [
                ">=1.9,<1.9.13"
            ],
            "v": ">=1.9,<1.9.13"
        },
        {
            "advisory": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission.",
            "cve": "CVE-2016-2048",
            "id": "pyup.io-25735",
            "specs": [
                ">=1.9,<1.9.2"
            ],
            "v": ">=1.9,<1.9.2"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
            "cve": "CVE-2016-6186",
            "id": "pyup.io-25721",
            "specs": [
                ">=1.9,<1.9.8",
                "==1.8.14",
                ">=1.10,<1.10rc1"
            ],
            "v": ">=1.9,<1.9.8,==1.8.14,>=1.10,<1.10rc1"
        },
        {
            "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.",
            "cve": null,
            "id": "pyup.io-35173",
            "specs": [
                ">=2.0,<2.0.2"
            ],
            "v": ">=2.0,<2.0.2"
        },
        {
            "advisory": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) See: CVE-2019-19118.",
            "cve": "CVE-2019-19118",
            "id": "pyup.io-37766",
            "specs": [
                ">=2.1,<2.1.15",
                ">=2.2,<2.2.8"
            ],
            "v": ">=2.1,<2.1.15,>=2.2,<2.2.8"
        }
    ],
    "django-access-tokens": [
        {
            "advisory": "django-access-tokens 0.9.2 fixes scoping of permissions where the token provides a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.",
            "cve": null,
            "id": "pyup.io-25736",
            "specs": [
                "<0.9.2"
            ],
            "v": "<0.9.2"
        }
    ],
    "django-access-tokens-py3": [
        {
            "advisory": "Fixing scoping of permissions where the token provides a\r\nsmaller subset of the required permissions. As an extreme case, an access token\r\ngranting no permissions could be used to access any permissions on the site.",
            "cve": null,
            "id": "pyup.io-34892",
            "specs": [
                "<0.9.2"
            ],
            "v": "<0.9.2"
        }
    ],
    "django-airplane": [
        {
            "advisory": "django-airplane 0.3 updates minimum django to secure 2.0.2.",
            "cve": null,
            "id": "pyup.io-36587",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "django-allauth": [
        {
            "advisory": "django-allauth before 0.28.0 previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the  larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.",
            "cve": null,
            "id": "pyup.io-25737",
            "specs": [
                "<0.28.0"
            ],
            "v": "<0.28.0"
        },
        {
            "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.",
            "cve": null,
            "id": "pyup.io-35034",
            "specs": [
                "<0.34.0"
            ],
            "v": "<0.34.0"
        },
        {
            "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release - see CVE-2019-19844 and https://www.djangoproject.com/weblog/2019/dec/18/security-releases/",
            "cve": null,
            "id": "pyup.io-37664",
            "specs": [
                "<0.41.0"
            ],
            "v": "<0.41.0"
        }
    ],
    "django-allauth-underground": [
        {
            "advisory": "django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the\r\n  provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the\r\n  larger ``SOCIALACCOUNT_PROVIDERS`` setting).",
            "cve": null,
            "id": "pyup.io-36394",
            "specs": [
                "<0.28.0"
            ],
            "v": "<0.28.0"
        }
    ],
    "django-anonymizer": [
        {
            "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed.  This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.",
            "cve": null,
            "id": "pyup.io-25738",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "django-anonymizer-compat": [
        {
            "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed.  This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.",
            "cve": null,
            "id": "pyup.io-25739",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "django-anymail": [
        {
            "advisory": "In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.",
            "cve": "CVE-2018-6596",
            "id": "pyup.io-35178",
            "specs": [
                "<1.4"
            ],
            "v": "<1.4"
        },
        {
            "advisory": "In django-anymail v0.2\u2013v1.3 the WEBHOOK_AUTHORIZATION key might get leaked if DEBUG=True since it isn\u2019t sanitized properly.",
            "cve": null,
            "id": "pyup.io-35198",
            "specs": [
                ">=0.2,<1.4"
            ],
            "v": ">=0.2,<1.4"
        }
    ],
    "django-autocomplete-light": [
        {
            "advisory": "django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.",
            "cve": null,
            "id": "pyup.io-25740",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "django-awl": [
        {
            "advisory": "django-awl 0.22.2 updates minimum library requirements for django 2.0.2 and 2.1.2 to reflect\r\nsecurity updates.",
            "cve": null,
            "id": "pyup.io-36588",
            "specs": [
                "<0.22.2"
            ],
            "v": "<0.22.2"
        }
    ],
    "django-basicauth": [
        {
            "advisory": "django-basicauth before 0.4.2 is vulnerable to undisclosed timing attacks.",
            "cve": null,
            "id": "pyup.io-35076",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        }
    ],
    "django-ca": [
        {
            "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.",
            "cve": null,
            "id": "pyup.io-37015",
            "specs": [
                "<1.10.0"
            ],
            "v": "<1.10.0"
        },
        {
            "advisory": "django-ca before 1.9.0 did not properly escape x509 extensions, allowing for potential injection attacks.",
            "cve": null,
            "id": "pyup.io-36405",
            "specs": [
                "<1.9.0"
            ],
            "v": "<1.9.0"
        }
    ],
    "django-cms": [
        {
            "advisory": "django-cms 2.1.3 fixes a serious security issue in PlaceholderAdmin",
            "cve": null,
            "id": "pyup.io-25741",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        },
        {
            "advisory": "django-cms before 2.1.4 fixes a XSS issue in Text Plugins.",
            "cve": null,
            "id": "pyup.io-25742",
            "specs": [
                "<2.1.4"
            ],
            "v": "<2.1.4"
        },
        {
            "advisory": "django-cms 3.0.14 fixes an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability",
            "cve": null,
            "id": "pyup.io-25743",
            "specs": [
                "<3.0.14"
            ],
            "v": "<3.0.14"
        },
        {
            "advisory": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.",
            "cve": "CVE-2015-5081",
            "id": "pyup.io-35628",
            "specs": [
                "<3.0.14",
                ">3.1,<3.1.1"
            ],
            "v": "<3.0.14,>3.1,<3.1.1"
        },
        {
            "advisory": "django-cms  3.2.4 addresses security vulnerabilities in the `render_model` template tag that could lead to escalation of privileges or other security issues. It also addresses a security vulnerability in the cms' usage of the messages framework. Furthermore it fixes security vulnerabilities in custom FormFields that could lead to escalation of privileges or other security issue",
            "cve": null,
            "id": "pyup.io-25746",
            "specs": [
                "<3.2.4"
            ],
            "v": "<3.2.4"
        },
        {
            "advisory": "django-cms 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code and a vulnerability where the next parameter for the toolbar login was not sanitised and could point to another domain.",
            "cve": null,
            "id": "pyup.io-34226",
            "specs": [
                "<3.4.3"
            ],
            "v": "<3.4.3"
        }
    ],
    "django-cms-patched": [
        {
            "advisory": "django-cms-patched before 3.0.17 has security vulnerabilities in the `render_model` template tag that could\r\n  lead to escalation of privileges or other security issues.",
            "cve": null,
            "id": "pyup.io-34123",
            "specs": [
                "<3.0.17"
            ],
            "v": "<3.0.17"
        },
        {
            "advisory": "django-cms-patched 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code.",
            "cve": null,
            "id": "pyup.io-34121",
            "specs": [
                "<3.4.3"
            ],
            "v": "<3.4.3"
        }
    ],
    "django-cors-headers": [
        {
            "advisory": "In django-cors-headers version 3.0.0, ``CORS_ORIGIN_WHITELIST`` requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2 <https://tools.ietf.org/html/rfc6454section-3.2>) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site.\r\n\r\nYou will need to update your whitelist to include schemes, for example from this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\n\r\nto this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']",
            "cve": null,
            "id": "pyup.io-37132",
            "specs": [
                "<3.0.0"
            ],
            "v": "<3.0.0"
        }
    ],
    "django-countries": [
        {
            "advisory": "django-countries 3.4 fixes a XSS escaping issue in CountrySelectWidget.",
            "cve": null,
            "id": "pyup.io-25747",
            "specs": [
                "<3.4"
            ],
            "v": "<3.4"
        },
        {
            "advisory": "django-countries 3.4 fixes an XSS escaping issue in CountrySelectWidget",
            "cve": null,
            "id": "pyup.io-37951",
            "specs": [
                "<3.4"
            ],
            "v": "<3.4"
        }
    ],
    "django-crispy-forms": [
        {
            "advisory": "django-crispy-forms 1.1.4 contains a security fix: Thread safety fixes to `CrispyFieldNode` thanks to Paul Oswald. This avoids leaking information between requests in multithreaded WSGI servers.",
            "cve": null,
            "id": "pyup.io-25751",
            "specs": [
                "<1.1.4"
            ],
            "v": "<1.1.4"
        }
    ],
    "django-crispy-forms-ng": [
        {
            "advisory": "django-crispy-forms before 0.9.0 fixes a XSS bug thanks to Charlie Denton, see GH-98. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.",
            "cve": null,
            "id": "pyup.io-25750",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "django-crm": [
        {
            "advisory": "MicroPyramid Django-CRM 0.2 does not use CSRF token for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.",
            "cve": "CVE-2018-16552",
            "id": "pyup.io-36440",
            "specs": [
                "<=0.2"
            ],
            "v": "<=0.2"
        }
    ],
    "django-dajaxice-me": [
        {
            "advisory": "django-dajaxice-me  0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.",
            "cve": null,
            "id": "pyup.io-25752",
            "specs": [
                "<0.1.7"
            ],
            "v": "<0.1.7"
        }
    ],
    "django-dajaxice-ng": [
        {
            "advisory": "django-dajaxice-ng  0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.",
            "cve": null,
            "id": "pyup.io-25753",
            "specs": [
                "<0.1.7"
            ],
            "v": "<0.1.7"
        }
    ],
    "django-discord-bind": [
        {
            "advisory": "django-discord-bind  0.2.0 added state validation to prevent CSRF attacks.",
            "cve": null,
            "id": "pyup.io-25754",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "django-embed-video": [
        {
            "advisory": "django-embed-video  0.3 has a security fix: faked urls are treated as invalid.",
            "cve": null,
            "id": "pyup.io-25755",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "django-envelope": [
        {
            "advisory": "django-envelope  0.4.1 contains a security bugfix regarding initial form values.",
            "cve": null,
            "id": "pyup.io-25756",
            "specs": [
                "<0.4.1"
            ],
            "v": "<0.4.1"
        }
    ],
    "django-epiced": [
        {
            "advisory": "django-epiced before 0.3.0 does not escape HTML output by default.",
            "cve": null,
            "id": "pyup.io-34269",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "django-epiceditor": [
        {
            "advisory": "There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.",
            "cve": "CVE-2017-6591",
            "id": "pyup.io-35735",
            "specs": [
                "<=0.2.3"
            ],
            "v": "<=0.2.3"
        }
    ],
    "django-fernet-fields": [
        {
            "advisory": "django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.",
            "cve": null,
            "id": "pyup.io-25757",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        },
        {
            "advisory": "django-fernet-fields before 0.3 has DualField and HashField. The only cases where they are useful, they aren't secure.",
            "cve": null,
            "id": "pyup.io-34331",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "django-fiber": [
        {
            "advisory": "django-fiber  0.9.9.1 contains a security bugfix: Changed permission check in API from IsAuthenticated to IsAdminUser",
            "cve": null,
            "id": "pyup.io-25758",
            "specs": [
                "<0.9.9.1"
            ],
            "v": "<0.9.9.1"
        }
    ],
    "django-filebrowser-no-grappelli-staff": [
        {
            "advisory": "django-filebrowser-no-grappelli-staff  3.4.2 fixes a XSS vulnerability with fb_tags.",
            "cve": null,
            "id": "pyup.io-25760",
            "specs": [
                "<3.4.2"
            ],
            "v": "<3.4.2"
        }
    ],
    "django-fluent-comments": [
        {
            "advisory": "django-fluent-comments  1.0.1 fixes security hash formatting errors on bad requests..",
            "cve": null,
            "id": "pyup.io-25761",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "django-formidable": [
        {
            "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.",
            "cve": null,
            "id": "pyup.io-37875",
            "specs": [
                "<4.0.0"
            ],
            "v": "<4.0.0"
        }
    ],
    "django-friendship": [
        {
            "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.",
            "cve": null,
            "id": "pyup.io-25762",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "django-guts": [
        {
            "advisory": "django-guts 0.1.1 fixes a security issue, allowing anyone to read any file.",
            "cve": null,
            "id": "pyup.io-25763",
            "specs": [
                "<0.1.1"
            ],
            "v": "<0.1.1"
        }
    ],
    "django-hashedfilenamestorage": [
        {
            "advisory": "django-hashedfilenamestorage 2.4 bumps Django dependency requirement to avoid vulnerable Django versions",
            "cve": null,
            "id": "pyup.io-36802",
            "specs": [
                "<2.4"
            ],
            "v": "<2.4"
        }
    ],
    "django-hashid-field": [
        {
            "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.",
            "cve": null,
            "id": "pyup.io-37680",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        }
    ],
    "django-haystack": [
        {
            "advisory": "django-haystack 1.1 removes insecure use of ``eval`` from the Whoosh backend.",
            "cve": null,
            "id": "pyup.io-25764",
            "specs": [
                "<1.1"
            ],
            "v": "<1.1"
        }
    ],
    "django-hijack": [
        {
            "advisory": "django-hijack before 1.0.7 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25765",
            "specs": [
                "<1.0.7"
            ],
            "v": "<1.0.7"
        }
    ],
    "django-howl": [
        {
            "advisory": "django-howl 1.0.4 updates django version to avoid security warnings.",
            "cve": null,
            "id": "pyup.io-37240",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        },
        {
            "advisory": "Django-howl 1.0.5 updates Pipfile.lock and test environment to avoid security issues.",
            "cve": null,
            "id": "pyup.io-38069",
            "specs": [
                "<1.0.5"
            ],
            "v": "<1.0.5"
        }
    ],
    "django-html5-appcache": [
        {
            "advisory": "django-html5-appcache 0.3.0 added a security check for sensitive views.",
            "cve": null,
            "id": "pyup.io-25766",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "django-initial-avatars": [
        {
            "advisory": "django-initial-avatars before 0.4 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25767",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        },
        {
            "advisory": "django-initial-avatars before 0.5.0 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25768",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        }
    ],
    "django-jet": [
        {
            "advisory": "django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.",
            "cve": null,
            "id": "pyup.io-25769",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        }
    ],
    "django-lazysignup": [
        {
            "advisory": "django-lazysignup before 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.",
            "cve": null,
            "id": "pyup.io-25770",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "django-lazysignup-redux": [
        {
            "advisory": "django-lazysignup-redux 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.",
            "cve": null,
            "id": "pyup.io-25771",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "django-lfs": [
        {
            "advisory": "django-lfs before 0.6.9 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25772",
            "specs": [
                "<0.6.9"
            ],
            "v": "<0.6.9"
        }
    ],
    "django-mail-auth": [
        {
            "advisory": "Django-mail-auth 0.1.3 fixes session key security issues.",
            "cve": null,
            "id": "pyup.io-37171",
            "specs": [
                "<0.1.3"
            ],
            "v": "<0.1.3"
        }
    ],
    "django-make-app": [
        {
            "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
            "cve": "CVE-2017-16764",
            "id": "pyup.io-35722",
            "specs": [
                "<0.1.3"
            ],
            "v": "<0.1.3"
        }
    ],
    "django-markupfield": [
        {
            "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.",
            "cve": "CVE-2015-0846",
            "id": "pyup.io-25773",
            "specs": [
                "<1.3.2"
            ],
            "v": "<1.3.2"
        },
        {
            "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.",
            "cve": "CVE-2015-0846",
            "id": "pyup.io-25774",
            "specs": [
                "<1.3.3"
            ],
            "v": "<1.3.3"
        }
    ],
    "django-material": [
        {
            "advisory": "django-material 0.9.0 fixes a XSS vulnerability in input fields.",
            "cve": null,
            "id": "pyup.io-25775",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        },
        {
            "advisory": "django-material before 1.5.1 included a js injection vulnerability in a list view",
            "cve": null,
            "id": "pyup.io-36950",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "django-material-orange": [
        {
            "advisory": "django-material-orange before 0.9.0 has a XSS vulnerability in input fields.",
            "cve": null,
            "id": "pyup.io-32207",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "django-material-saldoo": [
        {
            "advisory": "django-material-saldoo before 0.9.0 has a XSS vulnerability in input fields.",
            "cve": null,
            "id": "pyup.io-32243",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "django-modern-rpc": [
        {
            "advisory": "django-modern-rpc before 0.8.1 isn't correctly checking the authentication backend when executing 'system.multicall()'.",
            "cve": null,
            "id": "pyup.io-34991",
            "specs": [
                "<0.8.1"
            ],
            "v": "<0.8.1"
        }
    ],
    "django-music-publisher": [
        {
            "advisory": "Django 2.1 had a minor security issue, so 2.1.2 was promptly released.. django-music-publisher before 18.9.1 included this issue.",
            "cve": null,
            "id": "pyup.io-36523",
            "specs": [
                "<18.9.1"
            ],
            "v": "<18.9.1"
        },
        {
            "advisory": "django-music-publisher 18.9.3 updates Django to fix a minor security issue.",
            "cve": null,
            "id": "pyup.io-36608",
            "specs": [
                "<18.9.3"
            ],
            "v": "<18.9.3"
        }
    ],
    "django-newsletter": [
        {
            "advisory": "django-newsletter before 0.7 allowed a user to subscribe others to the newsletter without authorization.",
            "cve": null,
            "id": "pyup.io-36318",
            "specs": [
                "<0.7"
            ],
            "v": "<0.7"
        },
        {
            "advisory": "django-newsletter 0.9 updates several dependencies (waitress, Django) due to security issues",
            "cve": null,
            "id": "pyup.io-37916",
            "specs": [
                "<0.9"
            ],
            "v": "<0.9"
        },
        {
            "advisory": "Django-newsletter 0.9b1 updates several dependencies due to security issues.",
            "cve": null,
            "id": "pyup.io-37677",
            "specs": [
                "<0.9b1"
            ],
            "v": "<0.9b1"
        }
    ],
    "django-ninecms": [
        {
            "advisory": "django-ninecms before 0.4.5b has a unknown security issue in its url configuration.",
            "cve": null,
            "id": "pyup.io-25776",
            "specs": [
                "<0.4.5b"
            ],
            "v": "<0.4.5b"
        }
    ],
    "django-orghierarchy": [
        {
            "advisory": "Django-orghierarchy 0.1.13 updates Django for security reasons.",
            "cve": null,
            "id": "pyup.io-37039",
            "specs": [
                "<0.1.13"
            ],
            "v": "<0.1.13"
        },
        {
            "advisory": "Django-orghierarchy 0.1.18 includes a not further specified security update.",
            "cve": null,
            "id": "pyup.io-37038",
            "specs": [
                "<0.1.18"
            ],
            "v": "<0.1.18"
        }
    ],
    "django-piston": [
        {
            "advisory": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.",
            "cve": "CVE-2011-4103",
            "id": "pyup.io-25777",
            "specs": [
                "<0.2.3"
            ],
            "v": "<0.2.3"
        }
    ],
    "django-pluggable-filebrowser": [
        {
            "advisory": "django-pluggable-filebrowser 3.4.2 fixes a security bug: added staff_member_required decorator to the upload-function.",
            "cve": null,
            "id": "pyup.io-25778",
            "specs": [
                "<3.4.2"
            ],
            "v": "<3.4.2"
        }
    ],
    "django-postman": [
        {
            "advisory": "django-postman 3.6.2 fixes issue 101, for security concern, ignore the scheme and domain parts in the 'next' query param.",
            "cve": null,
            "id": "pyup.io-36667",
            "specs": [
                "<3.6.2"
            ],
            "v": "<3.6.2"
        }
    ],
    "django-python3-ldap": [
        {
            "advisory": "django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.",
            "cve": null,
            "id": "pyup.io-25779",
            "specs": [
                "<0.9.5"
            ],
            "v": "<0.9.5"
        },
        {
            "advisory": "django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.",
            "cve": null,
            "id": "pyup.io-25780",
            "specs": [
                "<0.9.8"
            ],
            "v": "<0.9.8"
        }
    ],
    "django-rated": [
        {
            "advisory": "django-rated before 1.1.2 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25781",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "django-registration": [
        {
            "advisory": "django-registration before 1.7 leaked password reset token through the Referer\r\nheader.",
            "cve": null,
            "id": "pyup.io-36431",
            "specs": [
                "<1.7"
            ],
            "v": "<1.7"
        }
    ],
    "django-registration-redux": [
        {
            "advisory": "django-registration-redux before 1.7 leaks password reset tokens through the Referer header. For more info, see: https://github.com/macropin/django-registration/pull/268",
            "cve": null,
            "id": "pyup.io-35199",
            "specs": [
                "<1.7"
            ],
            "v": "<1.7"
        }
    ],
    "django-relatives": [
        {
            "advisory": "django-relatives before 0.3.0 is vulnerable to a unspecified XSS issue.",
            "cve": null,
            "id": "pyup.io-25782",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "django-rest-registration": [
        {
            "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: <https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh>.",
            "cve": null,
            "id": "pyup.io-37385",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        },
        {
            "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.",
            "cve": "CVE-2019-13177",
            "id": "pyup.io-37266",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        }
    ],
    "django-revproxy": [
        {
            "advisory": "django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.",
            "cve": null,
            "id": "pyup.io-25783",
            "specs": [
                "<0.9.6"
            ],
            "v": "<0.9.6"
        },
        {
            "advisory": "django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin ignores the upstream and the request is redirected to the path itself allowing content injection.",
            "cve": null,
            "id": "pyup.io-25784",
            "specs": [
                "<0.9.7"
            ],
            "v": "<0.9.7"
        }
    ],
    "django-safedelete": [
        {
            "advisory": "django-safedelete 0.3.3 contains a security fix that prevents an XSS attack in the admin interface.",
            "cve": null,
            "id": "pyup.io-25785",
            "specs": [
                "<0.3.3"
            ],
            "v": "<0.3.3"
        }
    ],
    "django-secure-auth": [
        {
            "advisory": "django-secure-auth 1.1 includes undisclosed security fixes.",
            "cve": null,
            "id": "pyup.io-34185",
            "specs": [
                "<1.1"
            ],
            "v": "<1.1"
        }
    ],
    "django-select2": [
        {
            "advisory": "django-select2 5.7.0 contains a security fix that allows a `field_id` to only be used for the intended JSON endpoint.",
            "cve": null,
            "id": "pyup.io-25787",
            "specs": [
                "<5.7.0"
            ],
            "v": "<5.7.0"
        }
    ],
    "django-selectable": [
        {
            "advisory": "django-selectable 0.5.2 fixes a XSS flaw with lookup ``get_item_*`` methods.",
            "cve": null,
            "id": "pyup.io-25788",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "django-server": [
        {
            "advisory": "django-server is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34982",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "django-session-security": [
        {
            "advisory": "django-session-security  2.4.0 fixes a vulnerability when SESSION_EXPIRE_AT_BROWSER_CLOSE is off.",
            "cve": null,
            "id": "pyup.io-25789",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],
    "django-smart-selects": [
        {
            "advisory": "django-smart-selects before 1.5.0 allowed anybody to list arbitrary objects by tweaking URL parameters. 1.5.0 adds checks to the views to ensure that queries return an HTTP 403 (Permission denied) for models that do not have smart_selects fields defined.",
            "cve": null,
            "id": "pyup.io-34234",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "django-social-auth": [
        {
            "advisory": "django-social-auth 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to  external hosts.",
            "cve": null,
            "id": "pyup.io-25790",
            "specs": [
                "<0.7.2"
            ],
            "v": "<0.7.2"
        }
    ],
    "django-social-auth3": [
        {
            "advisory": "django-social-auth3 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to  external hosts.",
            "cve": null,
            "id": "pyup.io-25791",
            "specs": [
                "<0.7.2"
            ],
            "v": "<0.7.2"
        }
    ],
    "django-sql-explorer": [
        {
            "advisory": "django-sql-explorer before 1.1.0 isn't escaping values from the database correctly, making it open for potential XSS-attacks.",
            "cve": null,
            "id": "pyup.io-33293",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "django-sticky-uploads": [
        {
            "advisory": "django-sticky-uploads 0.2.0 fixes a security issue related to client changing the upload url specified by the widget for the upload.",
            "cve": null,
            "id": "pyup.io-25793",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "django-storages": [
        {
            "advisory": "In django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket permissions.  Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL = None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.",
            "cve": null,
            "id": "pyup.io-36434",
            "specs": [
                "<1.7"
            ],
            "v": "<1.7"
        }
    ],
    "django-tastypie": [
        {
            "advisory": "The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.",
            "cve": "CVE-2011-4104",
            "id": "pyup.io-25794",
            "specs": [
                "<0.9.10"
            ],
            "v": "<0.9.10"
        }
    ],
    "django-triggers": [
        {
            "advisory": "Django-triggers 2.0.13 updates some dependencies to their latest secure versions.",
            "cve": null,
            "id": "pyup.io-37072",
            "specs": [
                "<2.0.13"
            ],
            "v": "<2.0.13"
        }
    ],
    "django-ucamlookup": [
        {
            "advisory": "django-ucamlookup 1.9 fixes XXS vulnerability in template macros",
            "cve": null,
            "id": "pyup.io-36744",
            "specs": [
                "<1.9"
            ],
            "v": "<1.9"
        }
    ],
    "django-uni-form": [
        {
            "advisory": "django-uni-form  0.9.0 fixes a XSS security issue. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.",
            "cve": null,
            "id": "pyup.io-25796",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "django-user-accounts": [
        {
            "advisory": "django-user-accounts before 2.0.2 has a potentional security issue with leaking password reset tokens through HTTP Referer header.",
            "cve": null,
            "id": "pyup.io-34774",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        }
    ],
    "django-watchman": [
        {
            "advisory": "django-watchman  0.10.0 improves security by keeping tokens out of logs.",
            "cve": null,
            "id": "pyup.io-25797",
            "specs": [
                "<0.10.0"
            ],
            "v": "<0.10.0"
        }
    ],
    "djangocms-admin-style": [
        {
            "advisory": "djangocms-admin-style 1.2.5 fixes a potential security issue if the ``Site.name`` field contains malicious code.",
            "cve": null,
            "id": "pyup.io-36834",
            "specs": [
                "<1.2.5"
            ],
            "v": "<1.2.5"
        }
    ],
    "djangocms-highlightjs": [
        {
            "advisory": "djangocms-highlightjs before 0.3.1 has a unspecified security issue and is vulnerable via unknown vectors.",
            "cve": null,
            "id": "pyup.io-25798",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        }
    ],
    "djangorestframework": [
        {
            "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.",
            "cve": null,
            "id": "pyup.io-25799",
            "specs": [
                "<2.2.1"
            ],
            "v": "<2.2.1"
        },
        {
            "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.",
            "cve": null,
            "id": "pyup.io-25800",
            "specs": [
                "<2.3.12"
            ],
            "v": "<2.3.12"
        },
        {
            "advisory": "djangorestframework 2.3.14 fixes a security issue: Escape request path when it is include as part of the login and logout links in the browsable API.",
            "cve": null,
            "id": "pyup.io-25801",
            "specs": [
                "<2.3.14"
            ],
            "v": "<2.3.14"
        },
        {
            "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.",
            "cve": null,
            "id": "pyup.io-25802",
            "specs": [
                "<2.4.4"
            ],
            "v": "<2.4.4"
        },
        {
            "advisory": "djangorestframework  2.4.5 fixes a security issue: Escape tab switching cookie name in browsable API. [Backported from 3.1.1]",
            "cve": null,
            "id": "pyup.io-25803",
            "specs": [
                "<2.4.5"
            ],
            "v": "<2.4.5"
        },
        {
            "advisory": "djangorestframework 3.1.1 fixes a security issue: : Escape tab switching cookie name in browsable API.",
            "cve": null,
            "id": "pyup.io-25804",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        }
    ],
    "djangorestframework-api-key": [
        {
            "advisory": "djangorestframework-api-key before 0.2.0 the API key was stored in plaintext in database.",
            "cve": null,
            "id": "pyup.io-36524",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "djangorestframework-simplejwt": [
        {
            "advisory": "djangorestframework-simplejwt before 1.5 allowed `__getattr__` access to the underlying JWT through the `rest_framework_simplejwt.module.TokenUser` class.",
            "cve": null,
            "id": "pyup.io-34792",
            "specs": [
                "<1.5"
            ],
            "v": "<1.5"
        }
    ],
    "djangosaml2": [
        {
            "advisory": "djangosaml2 0.17.2 upgrades the pysaml2 dependency to version 4.6.0 which fixes a security issue.",
            "cve": null,
            "id": "pyup.io-36423",
            "specs": [
                "<0.17.2"
            ],
            "v": "<0.17.2"
        }
    ],
    "djblets": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.",
            "cve": "CVE-2014-3994",
            "id": "pyup.io-35571",
            "specs": [
                "<0.8.3"
            ],
            "v": "<0.8.3"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.",
            "cve": "CVE-2014-3995",
            "id": "pyup.io-35572",
            "specs": [
                "<0.8.3"
            ],
            "v": "<0.8.3"
        },
        {
            "advisory": "An eval() vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests. See: CVE-2013-4409.",
            "cve": "CVE-2013-4409",
            "id": "pyup.io-37636",
            "specs": [
                "==0.7.21"
            ],
            "v": "==0.7.21"
        }
    ],
    "djedefre": [
        {
            "advisory": "djedefre 0.7.0 fixes a security bug in \"djoser.views.UserView\"",
            "cve": null,
            "id": "pyup.io-37913",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        },
        {
            "advisory": "djedefre 1.3.2 fixes vulnerability of user endpoints.",
            "cve": null,
            "id": "pyup.io-37912",
            "specs": [
                "<1.3.2"
            ],
            "v": "<1.3.2"
        },
        {
            "advisory": "djedefre 1.5.1 fixes a vulnerability of UserViewSet that allows to create new accounts on wrong endpoint",
            "cve": null,
            "id": "pyup.io-37911",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "djoser": [
        {
            "advisory": "djoser 0.7.0 fixes a security bug in djoser.views.UserView. (Missing more information)",
            "cve": null,
            "id": "pyup.io-34904",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        },
        {
            "advisory": "djoser 1.3.2 fixes vulnerability of user endpoints.",
            "cve": null,
            "id": "pyup.io-36711",
            "specs": [
                "<1.3.2"
            ],
            "v": "<1.3.2"
        },
        {
            "advisory": "djoser 1.5.1 fixes a vulnerability of UserViewSet that allowed to create new accounts on wrong endpoint.",
            "cve": null,
            "id": "pyup.io-37010",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "dlhub-gateway": [
        {
            "advisory": "Dlhub-gateway 2.0.0 fixes security requirements in the swagger spec.",
            "cve": null,
            "id": "pyup.io-37339",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        }
    ],
    "dmoj": [
        {
            "advisory": "Dmoj 1.4.0 includes a number of enhancements and security fixes.",
            "cve": null,
            "id": "pyup.io-37474",
            "specs": [
                "<1.4.0"
            ],
            "v": "<1.4.0"
        }
    ],
    "docassemble": [
        {
            "advisory": "Docassemble 0.5.105 upgrades 'bleach' due to security vulnerability",
            "cve": null,
            "id": "pyup.io-37941",
            "specs": [
                "<0.5.105"
            ],
            "v": "<0.5.105"
        }
    ],
    "docker": [
        {
            "advisory": "docker 3.5.1 bumps version of `pyOpenSSL` in `requirements.txt` and `setup.py` to prevent\r\n  installation of a vulnerable version.",
            "cve": null,
            "id": "pyup.io-36783",
            "specs": [
                "<3.5.1"
            ],
            "v": "<3.5.1"
        }
    ],
    "docker-registry": [
        {
            "advisory": "docker-registry 0.8.1 has security fixes (path traversing prevention and token validation).",
            "cve": null,
            "id": "pyup.io-25805",
            "specs": [
                "<0.8.1"
            ],
            "v": "<0.8.1"
        }
    ],
    "donfig": [
        {
            "advisory": "An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.",
            "cve": "CVE-2019-7537",
            "id": "pyup.io-36976",
            "specs": [
                "==0.3.0"
            ],
            "v": "==0.3.0"
        }
    ],
    "dpaste": [
        {
            "advisory": "dpaste 2.8 fixes a XSS bug where HTML tags were not properly escaped with the simple  ``code`` lexer.",
            "cve": null,
            "id": "pyup.io-25807",
            "specs": [
                "<2.8"
            ],
            "v": "<2.8"
        }
    ],
    "dplib": [
        {
            "advisory": "dplib 1.4 fixes some security issues and added support for mapchange and namechange events",
            "cve": null,
            "id": "pyup.io-35851",
            "specs": [
                "<1.4"
            ],
            "v": "<1.4"
        }
    ],
    "drf-tracking": [
        {
            "advisory": "drf-tracking before 1.3.0",
            "cve": null,
            "id": "pyup.io-34856",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        }
    ],
    "dulwich": [
        {
            "advisory": "Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.",
            "cve": "CVE-2015-0838",
            "id": "pyup.io-25808",
            "specs": [
                "<0.9.920150320"
            ],
            "v": "<0.9.920150320"
        }
    ],
    "easy-install": [
        {
            "advisory": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.",
            "cve": "CVE-2013-1633",
            "id": "pyup.io-25809",
            "specs": [
                "<0.7"
            ],
            "v": "<0.7"
        },
        {
            "advisory": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.",
            "cve": null,
            "id": "pyup.io-33124",
            "specs": [
                "<0.7"
            ],
            "v": "<0.7"
        }
    ],
    "ec2-metadata": [
        {
            "advisory": "Ec2-metadata 2.2.0 moves to use Instance Metadata Service version 2 due to its increased security - see: https://github.com/adamchainz/ec2-metadata/issues/150",
            "cve": null,
            "id": "pyup.io-38053",
            "specs": [
                "<2.2.0"
            ],
            "v": "<2.2.0"
        }
    ],
    "ecdsa": [
        {
            "advisory": "A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. See: CVE-2019-14859.",
            "cve": "CVE-2019-14859",
            "id": "pyup.io-37763",
            "specs": [
                "<0.13.3"
            ],
            "v": "<0.13.3"
        },
        {
            "advisory": "An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. See CVE-2019-14853.",
            "cve": "CVE-2019-14853",
            "id": "pyup.io-37762",
            "specs": [
                "<0.13.3"
            ],
            "v": "<0.13.3"
        },
        {
            "advisory": "In ecdsa 0.14, deterministic signatures verify that the signature won't leak private key through very unlikely selection of `k` value (the nonce). Nonce bit size hiding was added (hardening against Minerva attack). Please note that it DOES NOT make library secure against side channel attacks (timing attacks).",
            "cve": null,
            "id": "pyup.io-37637",
            "specs": [
                "<0.14"
            ],
            "v": "<0.14"
        }
    ],
    "edrnsite.policy": [
        {
            "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.",
            "cve": "CVE-2011-0720",
            "id": "pyup.io-25810",
            "specs": [
                "<1.0.5"
            ],
            "v": "<1.0.5"
        }
    ],
    "eh": [
        {
            "advisory": "eh 0.2.8 changes: Fixed pyyaml security issue",
            "cve": null,
            "id": "pyup.io-37217",
            "specs": [
                "<0.2.8"
            ],
            "v": "<0.2.8"
        },
        {
            "advisory": "Eh 1.3.0 fixes a pyyaml security issue.",
            "cve": null,
            "id": "pyup.io-37500",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        }
    ],
    "electrumx": [
        {
            "advisory": "electrumx before 1.4.1 did not use PROTOCOL_MIN to 1.0; this did not prevent 2.9.x clients from connecting\r\n  and encouraging upgrades to more recent clients without the security hole.",
            "cve": null,
            "id": "pyup.io-36324",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        }
    ],
    "engineio-client": [
        {
            "advisory": "engineio-client 3.1.2 - Bumps ws to version 1.1.2 (vulnerability fix) (539)",
            "cve": null,
            "id": "pyup.io-36801",
            "specs": [
                "<3.1.2"
            ],
            "v": "<3.1.2"
        },
        {
            "advisory": "engineio-client 3.1.2 removes the parsejson dependency, which is vulnerable to a Regular Expression Denial of Service (NSP advisory [528](https://nodesecurity.io/advisories/528)). Please update as soon as possible.",
            "cve": null,
            "id": "pyup.io-36800",
            "specs": [
                "<3.1.2"
            ],
            "v": "<3.1.2"
        },
        {
            "advisory": "engineio-client 3.1.4 updates the `ws` package, as the previous version was vulnerable to a Regular Expression Denial of Service (NSP advisory [#550](https://nodesecurity.io/advisories/550)). Please update as soon as possible.",
            "cve": null,
            "id": "pyup.io-36799",
            "specs": [
                "<3.1.4"
            ],
            "v": "<3.1.4"
        }
    ],
    "errbot": [
        {
            "advisory": "errbot 1.3.0 fixes a security issue: the plugin directory permissions were too lax.",
            "cve": null,
            "id": "pyup.io-25812",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        }
    ],
    "esptool": [
        {
            "advisory": "esptool before 2.5.0 `digest_secure_bootloader` could produce incorrect digest.",
            "cve": null,
            "id": "pyup.io-36328",
            "specs": [
                "<2.5.0"
            ],
            "v": "<2.5.0"
        }
    ],
    "eth-hash": [
        {
            "advisory": "eth-hash before 0.1.5 used an unsafe version of `pycryptodome`. 0.1.5 upgrades `pycryptodome` to `>=3.6.6,<4` to fix this recently discovered vulnerability",
            "cve": null,
            "id": "pyup.io-36438",
            "specs": [
                "<0.1.5"
            ],
            "v": "<0.1.5"
        }
    ],
    "etherweaver": [
        {
            "advisory": "etherweaver 0.3.0 upgrades paramiko to 2.4.2 to eliminate CVE-2018-1000805 vulnerability",
            "cve": "CVE-2018-1000805",
            "id": "pyup.io-36549",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "ethically": [
        {
            "advisory": "Ethically 0.0.3 fixes security issues with dependencies.",
            "cve": null,
            "id": "pyup.io-37042",
            "specs": [
                "<0.0.3"
            ],
            "v": "<0.0.3"
        }
    ],
    "ethsnarks": [
        {
            "advisory": "Ethsnarks 0.18.10.1 fixes security bugs in MiMC-p/p and Miximus.",
            "cve": null,
            "id": "pyup.io-37387",
            "specs": [
                "<0.18.10.1"
            ],
            "v": "<0.18.10.1"
        }
    ],
    "etlstat": [
        {
            "advisory": "etlstat 0.6.1 updates SQLAlchemy in requirements.txt to fix moderate security issues",
            "cve": null,
            "id": "pyup.io-37878",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "euphorie": [
        {
            "advisory": "Euphorie 11.1.2 tightens the security on several client views.",
            "cve": null,
            "id": "pyup.io-37459",
            "specs": [
                "<11.1.2"
            ],
            "v": "<11.1.2"
        },
        {
            "advisory": "euphorie 6.1 fixes a security issue: modify client to always check if a survey session belongs to the current user.",
            "cve": null,
            "id": "pyup.io-25813",
            "specs": [
                "<6.1"
            ],
            "v": "<6.1"
        }
    ],
    "event-tracking": [
        {
            "advisory": "event-tracking 0.2.9 changes: This upgrade will fix the security vulnerability in the old versions of jinja2.",
            "cve": null,
            "id": "pyup.io-37232",
            "specs": [
                "<0.2.9"
            ],
            "v": "<0.2.9"
        }
    ],
    "extensiveautomation-server": [
        {
            "advisory": "Extensiveautomation-server 12.1.0 reactivates SSLv3 cipher to support Linux client in python 2.6, fixes a security issue on folder creation in repository (no more full rights), and fixes a security issue on web services (bad  handle of the level access).",
            "cve": null,
            "id": "pyup.io-37348",
            "specs": [
                "<12.1.0"
            ],
            "v": "<12.1.0"
        },
        {
            "advisory": "Extensiveautomation-server 13.0.0 includes various security improvements:\r\n- No longer uses truncate tables.\r\n- No longer creates folders with 777 mode.\r\n- Includes a new script to secure the server after a from-scratch installation.\r\n- Dumps mysql user in settings file, with updates on all services.",
            "cve": null,
            "id": "pyup.io-37347",
            "specs": [
                "<13.0.0"
            ],
            "v": "<13.0.0"
        },
        {
            "advisory": "Extensiveautomation-server 14.0.0 includes various security updates:\r\n- It has a minor improvement to secure the product (php and apache).\r\n- It encrypts test environment data.\r\n- It no longer run server as root.\r\n- It no longer uses the root account for database access.",
            "cve": null,
            "id": "pyup.io-37346",
            "specs": [
                "<14.0.0"
            ],
            "v": "<14.0.0"
        },
        {
            "advisory": "Extensiveautomation-server 16.0.0 fixes a security issue on rest API: it fixes the error on the get variables listing.",
            "cve": null,
            "id": "pyup.io-37345",
            "specs": [
                "<16.0.0"
            ],
            "v": "<16.0.0"
        }
    ],
    "eyed3": [
        {
            "advisory": "tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file.",
            "cve": "CVE-2014-1934",
            "id": "pyup.io-35538",
            "specs": [
                "<0.6.18"
            ],
            "v": "<0.6.18"
        }
    ],
    "faker": [
        {
            "advisory": "Faker 0.1 includes the message: \"`bundler-audit` has identified that i18 has fix a security vulnerability, that has been fixed in the 0.8 version.\"",
            "cve": null,
            "id": "pyup.io-37386",
            "specs": [
                "<0.1"
            ],
            "v": "<0.1"
        },
        {
            "advisory": "Faker 2.1.2: `bundler-audit` has identified that i18 has a security vulnerability, that has been fixed in the 0.8 version.",
            "cve": null,
            "id": "pyup.io-37658",
            "specs": [
                "<2.1.2"
            ],
            "v": "<2.1.2"
        }
    ],
    "fast-curator": [
        {
            "advisory": "Fast-curator 0.2.2 switches to pyyaml `safe_load` for better security.",
            "cve": null,
            "id": "pyup.io-37514",
            "specs": [
                "<0.2.2"
            ],
            "v": "<0.2.2"
        }
    ],
    "fastapi": [
        {
            "advisory": "Fastapi 0.18.0 updates dependencies for security reasons.",
            "cve": null,
            "id": "pyup.io-37084",
            "specs": [
                "<0.18.0"
            ],
            "v": "<0.18.0"
        },
        {
            "advisory": "Fastapi 0.30.0 avoids/fixes a potential security issue: as the returned object is passed directly to Pydantic, if the returned object was a subclass of the `response_model` (e.g. you return a `UserInDB` that inherits from `User` but contains extra fields, like `hashed_password`, and `User` is used in the `response_model`), it would still pass the validation (because `UserInDB` is a subclass of `User`) and the object would be returned as-is, including the `hashed_password`. To fix this, the declared `response_model` is cloned, if it is a Pydantic model class (or contains Pydantic model classes in it, e.g. in a `List[Item]`), the Pydantic model class(es) will be a different one (the \"cloned\" one). So, an object that is a subclass won't simply pass the validation and returned as-is, because it is no longer a sub-class of the cloned `response_model`. Instead, a new Pydantic model object will be created with the contents of the returned object. So, it will be a new object (made with the data from the returned one), and will be filtered by the cloned `response_model`, containing only the declared fields as normally.",
            "cve": null,
            "id": "pyup.io-37231",
            "specs": [
                "<0.30.0"
            ],
            "v": "<0.30.0"
        },
        {
            "advisory": "Fastapi 0.37.0 fixes a security issue: when returning a sub-class of a response model and using `skip_defaults` it could leak information. See: https://github.com/tiangolo/fastapi/pull/485",
            "cve": null,
            "id": "pyup.io-37428",
            "specs": [
                "<0.37.0"
            ],
            "v": "<0.37.0"
        }
    ],
    "featureserver": [
        {
            "advisory": "featureserver before 1.06 allowed JSON callbacks.",
            "cve": null,
            "id": "pyup.io-25814",
            "specs": [
                "<1.06"
            ],
            "v": "<1.06"
        }
    ],
    "fedmsg": [
        {
            "advisory": "FedMsg 0.18.1 and older is vulnerable to a message validation flaw resulting in message validation not being enabled if configured to be on.",
            "cve": "CVE-2017-1000001",
            "id": "pyup.io-34879",
            "specs": [
                "<0.18.2"
            ],
            "v": "<0.18.2"
        }
    ],
    "feedparser": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0 allows remote attackers to inject arbitrary web script or HTML via vectors involving nested CDATA stanzas.",
            "cve": "CVE-2009-5065",
            "id": "pyup.io-25815",
            "specs": [
                "<5.0"
            ],
            "v": "<5.0"
        },
        {
            "advisory": "feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration.",
            "cve": "CVE-2011-1156",
            "id": "pyup.io-33125",
            "specs": [
                "<5.0.1"
            ],
            "v": "<5.0.1"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments.",
            "cve": "CVE-2011-1157",
            "id": "pyup.io-33126",
            "specs": [
                "<5.0.1"
            ],
            "v": "<5.0.1"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI.",
            "cve": "CVE-2011-1158",
            "id": "pyup.io-33127",
            "specs": [
                "<5.0.1"
            ],
            "v": "<5.0.1"
        },
        {
            "advisory": "Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.",
            "cve": "CVE-2012-2921",
            "id": "pyup.io-25819",
            "specs": [
                "<5.1.2"
            ],
            "v": "<5.1.2"
        }
    ],
    "fincity-django-allauth": [
        {
            "advisory": "In fincity-django-allauth 0.18.0, the Persona provider now requires the ``AUDIENCE`` parameter to be explicitly configured, as required by the Persona specification for security reasons. Also, the inline Javascript is removed from the ``fbconnect.html`` template, which allows for a more strict ``Content-Security-Policy``. If you were using the builtin ``fbconnect.html`` this change should go by unnoticed.",
            "cve": null,
            "id": "pyup.io-37466",
            "specs": [
                "<0.18.0"
            ],
            "v": "<0.18.0"
        },
        {
            "advisory": "Version prior to fincity-django-allauth 0.28.0 contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.",
            "cve": null,
            "id": "pyup.io-37464",
            "specs": [
                "<0.28.0"
            ],
            "v": "<0.28.0"
        },
        {
            "advisory": "Before fincity-django-allauth 0.34.0, the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.",
            "cve": null,
            "id": "pyup.io-37463",
            "specs": [
                "<0.34.0"
            ],
            "v": "<0.34.0"
        },
        {
            "advisory": "As an extra security measure on top of what the standard Django password reset token generator is already facilitating, allauth in fincity-django-allauth 0.35.0 adds the user email address to the hash such that whenever the user's email address changes the token is invalidated.",
            "cve": null,
            "id": "pyup.io-37462",
            "specs": [
                "<0.35.0"
            ],
            "v": "<0.35.0"
        },
        {
            "advisory": "Before fincity-django-allauth 0.38.0, the ``{% user_display user %}`` tag did not escape properly. Depending on the username validation rules, this could lead to XSS issues.",
            "cve": null,
            "id": "pyup.io-37465",
            "specs": [
                "<0.38.0"
            ],
            "v": "<0.38.0"
        }
    ],
    "flashfocus": [
        {
            "advisory": "flashfocus 1.2.0 updates pyaml version in requirements due to security vulnerability",
            "cve": null,
            "id": "pyup.io-36825",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "flask": [
        {
            "advisory": "flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.",
            "cve": "CVE-2018-1000656",
            "id": "pyup.io-36388",
            "specs": [
                "<0.12.3"
            ],
            "v": "<0.12.3"
        },
        {
            "advisory": "flask 0.6.1 fixes a security problem that allowed clients to download arbitrary files  if the host server was a windows based operating system and the client  uses backslashes to escape the directory the files where exposed from.",
            "cve": null,
            "id": "pyup.io-25820",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "flask-admin": [
        {
            "advisory": "flask-admin  1.3.0 fixes a XSS vulnerability in column_editable_list values.",
            "cve": null,
            "id": "pyup.io-25821",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        },
        {
            "advisory": "flask-admin before 1.5.2 had an XSS vulnerability.",
            "cve": null,
            "id": "pyup.io-36408",
            "specs": [
                "<1.5.2"
            ],
            "v": "<1.5.2"
        },
        {
            "advisory": "flask-admin 1.5.3 fixes an XSS vulnerability",
            "cve": null,
            "id": "pyup.io-36746",
            "specs": [
                "<1.5.3"
            ],
            "v": "<1.5.3"
        },
        {
            "advisory": "helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL.\r\nsee https://github.com/flask-admin/flask-admin/pull/1699",
            "cve": "CVE-2018-16516",
            "id": "pyup.io-36437",
            "specs": [
                "<=1.5.2"
            ],
            "v": "<=1.5.2"
        }
    ],
    "flask-appbuilder": [
        {
            "advisory": "Flask-appbuilder 0.2.0 includes reset password corrections.",
            "cve": null,
            "id": "pyup.io-37060",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        },
        {
            "advisory": "Flask-appbuilder 0.7.8 has better security than previous versions. No details are given.",
            "cve": null,
            "id": "pyup.io-37064",
            "specs": [
                "<0.7.8"
            ],
            "v": "<0.7.8"
        },
        {
            "advisory": "flask-appbuilder 0.7.8 adds new, added optional parameter \"label\" and \"category_label\" for menu items, better security and i18n",
            "cve": null,
            "id": "pyup.io-37905",
            "specs": [
                "<0.7.8"
            ],
            "v": "<0.7.8"
        },
        {
            "advisory": "flask-appbuilder 1.9.0 prevents masquerade attacks through oauth providers",
            "cve": null,
            "id": "pyup.io-37828",
            "specs": [
                "<1.9.0"
            ],
            "v": "<1.9.0"
        },
        {
            "advisory": "Flask-appbuilder 1.9.0 prevent masquerade attacks through OAuth providers and fixes crash on OAuth errors, which was a security concern.",
            "cve": null,
            "id": "pyup.io-37061",
            "specs": [
                "<1.9.0"
            ],
            "v": "<1.9.0"
        },
        {
            "advisory": "flask-appbuilder 1.9.2 fixes possible SQL injection vulnerability",
            "cve": null,
            "id": "pyup.io-37297",
            "specs": [
                "<1.9.2"
            ],
            "v": "<1.9.2"
        },
        {
            "advisory": "Flask-appbuilder 2.2.2 make userstatschartview optional (a security issue) (#1239).",
            "cve": null,
            "id": "pyup.io-37059",
            "specs": [
                "<2.2.2"
            ],
            "v": "<2.2.2"
        },
        {
            "advisory": "Flask-appbuilder 2.2.4 toggles pvm, perm and vm mvc views config options (a security issue) (#1259).",
            "cve": null,
            "id": "pyup.io-37130",
            "specs": [
                "<2.2.4"
            ],
            "v": "<2.2.4"
        }
    ],
    "flask-async": [
        {
            "advisory": "flask-async  0.6.1 fixes a security problem that allowed clients to download arbitrary files  if the host server was a windows based operating system and the client  uses backslashes to escape the directory the files where exposed from.",
            "cve": null,
            "id": "pyup.io-25822",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "flask-exceptions": [
        {
            "advisory": "flask-exceptions 1.2.2 update is for security vulnerabilities",
            "cve": null,
            "id": "pyup.io-36812",
            "specs": [
                "<1.2.2"
            ],
            "v": "<1.2.2"
        }
    ],
    "flask-flatpages": [
        {
            "advisory": "Flask-flatpages 0.7.1 updates its dependencies to resolve some severe security alerts.",
            "cve": null,
            "id": "pyup.io-37077",
            "specs": [
                "<0.7.1"
            ],
            "v": "<0.7.1"
        }
    ],
    "flask-i18n": [
        {
            "advisory": "flask-i18n 1.1.1 update is for security vulnerabilities",
            "cve": null,
            "id": "pyup.io-36814",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        }
    ],
    "flask-images": [
        {
            "advisory": "flask-images 1.1.3 fixes 3 security bugs, each of which would allow for reading any image on disk.",
            "cve": null,
            "id": "pyup.io-25823",
            "specs": [
                "<1.1.3"
            ],
            "v": "<1.1.3"
        }
    ],
    "flask-ipban": [
        {
            "advisory": "flask-ipban 0.2.2 fixes a yaml loading vulnerability.",
            "cve": null,
            "id": "pyup.io-36997",
            "specs": [
                "<0.2.2"
            ],
            "v": "<0.2.2"
        }
    ],
    "flask-logger": [
        {
            "advisory": "flask-logger 1.0.3 updates dependencies for security issues in Flask.",
            "cve": null,
            "id": "pyup.io-36811",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        }
    ],
    "flask-micropub": [
        {
            "advisory": "flask-micropub 0.2.2 fixes a vulnerability; re-discover the authorization_endpoint and token_endpoint at each stage in the flow. Prevents a buggy or malicious authorization_endpoint from giving you credentials for another user's domain name.",
            "cve": null,
            "id": "pyup.io-25824",
            "specs": [
                "<0.2.2"
            ],
            "v": "<0.2.2"
        }
    ],
    "flask-monitoring": [
        {
            "advisory": "flask-monitoring 1.10.0 adds security for automatic endpoint-data retrieval",
            "cve": null,
            "id": "pyup.io-37847",
            "specs": [
                "<1.10.0"
            ],
            "v": "<1.10.0"
        }
    ],
    "flask-oauthlib": [
        {
            "advisory": "flask-oauthlib before 0.9.1 improves on security. (Without further details).",
            "cve": null,
            "id": "pyup.io-25825",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        }
    ],
    "flask-oidc": [
        {
            "advisory": "flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect",
            "cve": "CVE-2016-1000001",
            "id": "pyup.io-25826",
            "specs": [
                "<0.1.2"
            ],
            "v": "<0.1.2"
        }
    ],
    "flask-security-fork": [
        {
            "advisory": "flask-security-fork before 1.8.1 fixes a security bug when validating a confirmation token, also checks if the email that the token was created with matches the user's current email.",
            "cve": null,
            "id": "pyup.io-25827",
            "specs": [
                "<1.8.1"
            ],
            "v": "<1.8.1"
        }
    ],
    "flask-sieve": [
        {
            "advisory": "Flask-sieve 1.1.0 updates Pillow (PIL-fork) to fix security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37632",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "flask-socketio": [
        {
            "advisory": "Flask-socketio 4.2.0 addresses potential websocket cross-origin attacks. See: <https://github.com/miguelgrinberg/python-engineio/issues/128>.",
            "cve": null,
            "id": "pyup.io-37309",
            "specs": [
                "<4.2.0"
            ],
            "v": "<4.2.0"
        }
    ],
    "flask-statsdclient": [
        {
            "advisory": "flask-statsdclient 2.0.2 is for security vulnerabilities",
            "cve": null,
            "id": "pyup.io-36813",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        }
    ],
    "flex": [
        {
            "advisory": "flex before 6.12.0 uses the unsafe `yaml.load` function to load YAML files, leading to an attack vector that allows remote code execution.",
            "cve": null,
            "id": "pyup.io-35155",
            "specs": [
                "<6.12.0"
            ],
            "v": "<6.12.0"
        }
    ],
    "foolscap": [
        {
            "advisory": "In foolscap before 0.7.0 the \"flappserver\" feature was found to have a vulnerability in the service-lookup code which, when combined with an attacker who has the ability to write files to a location where the flappserver process could read them, would allow that attacker to obtain control of the flappserver process.\r\n\r\nUsers who run flappservers should upgrade to 0.7.0, where this was fixed as part of 226.",
            "cve": null,
            "id": "pyup.io-25828",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "form-designer": [
        {
            "advisory": "form-designer 0.8 fixes an XSS vulnerability in the administration panel.",
            "cve": null,
            "id": "pyup.io-34711",
            "specs": [
                "<0.8"
            ],
            "v": "<0.8"
        }
    ],
    "formbar": [
        {
            "advisory": "formbar 0.9 fixes a potential code injection issue by removing the rule parsing out of formbar and use brabbel library for rule parsing and evaluation.",
            "cve": null,
            "id": "pyup.io-25829",
            "specs": [
                "<0.9"
            ],
            "v": "<0.9"
        }
    ],
    "formencode": [
        {
            "advisory": "schema.py in FormEncode for Python (python-formencode) 1.0 does not apply the chained_validators feature, which allows attackers to bypass intended access restrictions via unknown vectors.",
            "cve": "CVE-2008-6547",
            "id": "pyup.io-25830",
            "specs": [
                "<1.0"
            ],
            "v": "<1.0"
        }
    ],
    "fresco": [
        {
            "advisory": "In fresco after 0.5.5 user supplied data is no longer reflected in error messages raised from ``fresco.routeargs.RequestArg``. This fixes a potential XSS vulnerability affecting versions starting from 0.5.0.",
            "cve": null,
            "id": "pyup.io-35028",
            "specs": [
                ">=0.5.0,<0.5.5"
            ],
            "v": ">=0.5.0,<0.5.5"
        }
    ],
    "friendlyshell": [
        {
            "advisory": "friendlyshell 1.0.3 fixes security warnings, and bugs with parsing quoted command parameters.",
            "cve": null,
            "id": "pyup.io-36642",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        }
    ],
    "ftw-dashboard-portlets-postit": [
        {
            "advisory": "ftw-dashboard-portlets-postit  1.3.4 fixes a security error, it was possible to add postit comment on a foreign dashboard if the userid an portlet id was known.",
            "cve": null,
            "id": "pyup.io-35933",
            "specs": [
                "<1.3.4"
            ],
            "v": "<1.3.4"
        }
    ],
    "ftw.dashboard.dragndrop": [
        {
            "advisory": "ftw.dashboard.dragndrop 1.5.1 includes several undisclosed security fixes.",
            "cve": null,
            "id": "pyup.io-25831",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "ftw.dashboard.portlets.postit": [
        {
            "advisory": "ftw.dashboard.portlets.postit 1.3.4 fixes a security error, it was possible to add postit comment on a foreign dashboard if the userid an portlet id was known.",
            "cve": null,
            "id": "pyup.io-25832",
            "specs": [
                "<1.3.4"
            ],
            "v": "<1.3.4"
        }
    ],
    "ftw.lawgiver": [
        {
            "advisory": "Ftw.lawgiver 1.16.1 fixes the workflow security.",
            "cve": null,
            "id": "pyup.io-37470",
            "specs": [
                "<1.16.1"
            ],
            "v": "<1.16.1"
        }
    ],
    "ftw.mail": [
        {
            "advisory": "ftw.mail 2.2.3 makes mail view XSS-save using the safe-html transform for the mail-body display.",
            "cve": null,
            "id": "pyup.io-25833",
            "specs": [
                "<2.2.3"
            ],
            "v": "<2.2.3"
        }
    ],
    "ftw.meeting": [
        {
            "advisory": "ftw.meeting before 1.4.1 isn't using safe-html-transform for textfields.",
            "cve": null,
            "id": "pyup.io-25834",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        }
    ],
    "ftw.permissionmanager": [
        {
            "advisory": "ftw.permissionmanager before 2.2.2 allowed users with view permission to access the advanced security features. Since it's possible to search for all users, which exposes all usernames and email addresses to anyone with view permission.",
            "cve": null,
            "id": "pyup.io-25835",
            "specs": [
                "<2.2.2"
            ],
            "v": "<2.2.2"
        }
    ],
    "fundnsf": [
        {
            "advisory": "fundnsf 0.0.32 updates requests 2.20.0 for security",
            "cve": null,
            "id": "pyup.io-36598",
            "specs": [
                "<0.0.32"
            ],
            "v": "<0.0.32"
        }
    ],
    "futoin-cid": [
        {
            "advisory": "futoin-cid before 0.8.5 does not properly check components loading from the root directory when using os.path.join().",
            "cve": null,
            "id": "pyup.io-35184",
            "specs": [
                "<0.8.5"
            ],
            "v": "<0.8.5"
        }
    ],
    "gandi.cli": [
        {
            "advisory": "gandi.cli 0.10 includes two security related fixes: \r\n\r\n- validate server certificate using request as\r\n  xmlrpc transport.\r\n- Security: restrict configuration file rights to owner only.",
            "cve": null,
            "id": "pyup.io-25836",
            "specs": [
                "<0.10"
            ],
            "v": "<0.10"
        }
    ],
    "genshi": [
        {
            "advisory": "genshi 0.6.1 includes a security fix to enhance sanitizing of CSS in style attributes. Genshi's `HTMLSanitizer` disallows style attributes by default (this remains unchanged) and warns against such attacks in its documentation, but the provided CSS santizing is now less lacking (see GitHub issue 455).",
            "cve": null,
            "id": "pyup.io-34688",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "geokey": [
        {
            "advisory": "Geokey 1.11.2 upgrades the REST framework (+GIS) dependencies in order to resolve reported vulnerability issue.",
            "cve": null,
            "id": "pyup.io-37207",
            "specs": [
                "<1.11.2"
            ],
            "v": "<1.11.2"
        },
        {
            "advisory": "Geokey 1.3.1 includes a not further specified security update.",
            "cve": null,
            "id": "pyup.io-35080",
            "specs": [
                "<1.3.1"
            ],
            "v": "<1.3.1"
        }
    ],
    "geonode": [
        {
            "advisory": "geonode 2.10.30\r\n\r\n== Bumps ==\r\ndjango from 1.11.21 to 1.11.22\r\ntwisted from 18.9.0 to 19.2.1\r\nurllib3 to 1.24.2\r\n\r\n== Also ==\r\nRemoves not useful and potentially blocking calls from signals and login/out calls\r\nGeneral security and encoding updates\r\nSecurity vulnerabilities on deps (PyYAML)\r\nEnforce GeoNode REST service API security",
            "cve": null,
            "id": "pyup.io-37877",
            "specs": [
                "<2.10.3"
            ],
            "v": "<2.10.3"
        }
    ],
    "gevent": [
        {
            "advisory": "gevent 1.2a1 includes a security related fix. Errors logged by :class:`~gevent.pywsgi.WSGIHandler` no longer print the entire WSGI environment by default. This avoids  possible information disclosure vulnerabilities. Applications can also opt-in to a higher security level for the WSGI environment if they  choose and their frameworks support it. Originally reported  in :pr:`779` by sean-peters-au and changed in :pr:`781`.",
            "cve": null,
            "id": "pyup.io-25837",
            "specs": [
                "<1.2a1"
            ],
            "v": "<1.2a1"
        }
    ],
    "geventhttpclient": [
        {
            "advisory": "geventhttpclient 1.2.0 includes an undisclosed security fix related to SSL support.",
            "cve": null,
            "id": "pyup.io-25838",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "girder": [
        {
            "advisory": "girder 2.2.0 fixes an XSS vulnerability in girders human-readable web API output. This vulnerability was not present in girders normal web client, so users of the Girder web client would not have been affected.",
            "cve": null,
            "id": "pyup.io-34634",
            "specs": [
                "<2.2.0"
            ],
            "v": "<2.2.0"
        },
        {
            "advisory": "In girder 2.5.0 the default Girder server now binds to localhost by default instead of 0.0.0.0.",
            "cve": null,
            "id": "pyup.io-35831",
            "specs": [
                "<2.5.0"
            ],
            "v": "<2.5.0"
        }
    ],
    "gitlab-languages": [
        {
            "advisory": "gitlab-languages 1.4.1 updates dependencies, because of a security vulnerability in request `<2.20.0`",
            "cve": null,
            "id": "pyup.io-36639",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        }
    ],
    "gns3-gui": [
        {
            "advisory": "gns3-gui 1.5.1 fixes a security related bug to prevent client to send empty hostname.",
            "cve": null,
            "id": "pyup.io-25839",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "gnupg": [
        {
            "advisory": "python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.",
            "cve": "CVE-2013-7323",
            "id": "pyup.io-35493",
            "specs": [
                "<0.3.5"
            ],
            "v": "<0.3.5"
        },
        {
            "advisory": "The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"$(\" command-substitution sequences, a different vulnerability than CVE-2014-1928.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.",
            "cve": "CVE-2014-1927",
            "id": "pyup.io-35533",
            "specs": [
                "==0.3.5"
            ],
            "v": "==0.3.5"
        },
        {
            "advisory": "The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"\\\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.",
            "cve": "CVE-2014-1928",
            "id": "pyup.io-35534",
            "specs": [
                "==0.3.5"
            ],
            "v": "==0.3.5"
        },
        {
            "advisory": "python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to \"option injection through positional arguments.\" NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.",
            "cve": "CVE-2014-1929",
            "id": "pyup.io-35535",
            "specs": [
                "==0.3.5",
                "==0.3.6"
            ],
            "v": "==0.3.5,==0.3.6"
        }
    ],
    "goharbor": [
        {
            "advisory": "goharbor 1.1.0 fixes some security issues in token service.",
            "cve": null,
            "id": "pyup.io-36776",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "google-appengine": [
        {
            "advisory": "Cross-site request forgery (CSRF) vulnerability in _ah/admin/interactive/execute (aka the Interactive Console) in the SDK Console (aka Admin Console) in the Google App Engine Python SDK before 1.5.4 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary Python code via the code parameter.",
            "cve": "CVE-2011-1364",
            "id": "pyup.io-33128",
            "specs": [
                "<1.5.4"
            ],
            "v": "<1.5.4"
        },
        {
            "advisory": "The FakeFile implementation in the sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly control the opening of files, which allows local users to bypass intended access restrictions and create arbitrary files via ALLOWED_MODES and ALLOWED_DIRS changes within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.",
            "cve": "CVE-2011-4211",
            "id": "pyup.io-33129",
            "specs": [
                "<1.5.4"
            ],
            "v": "<1.5.4"
        },
        {
            "advisory": "The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent os.popen calls, which allows local users to bypass intended access restrictions and execute arbitrary commands via a dev_appserver.RestrictedPathFunction._original_os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.",
            "cve": "CVE-2011-4212",
            "id": "pyup.io-33130",
            "specs": [
                "<1.5.4"
            ],
            "v": "<1.5.4"
        },
        {
            "advisory": "The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.",
            "cve": "CVE-2011-4213",
            "id": "pyup.io-33131",
            "specs": [
                "<1.5.4"
            ],
            "v": "<1.5.4"
        }
    ],
    "gordo-components": [
        {
            "advisory": "Gordo-components 0.15.1 updates the dependency urllib3 >= 1.24.2 to address urllib3 security alert - see https://nvd.nist.gov/vuln/detail/CVE-2019-11324",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-37545",
            "specs": [
                "<0.15.1"
            ],
            "v": "<0.15.1"
        }
    ],
    "gphotos-sync": [
        {
            "advisory": "gphotos-sync 2.9 update dependencies for security patches",
            "cve": null,
            "id": "pyup.io-37829",
            "specs": [
                "<2.9"
            ],
            "v": "<2.9"
        }
    ],
    "great-components": [
        {
            "advisory": "great-components 25.0.1 updates lodash vulnerability",
            "cve": null,
            "id": "pyup.io-37925",
            "specs": [
                "<25.0.1"
            ],
            "v": "<25.0.1"
        }
    ],
    "guillotina": [
        {
            "advisory": "guillotina 4.5.8 fixes memory leak in security policy lookups",
            "cve": null,
            "id": "pyup.io-36961",
            "specs": [
                "<4.5.8"
            ],
            "v": "<4.5.8"
        }
    ],
    "gvar": [
        {
            "advisory": "Gvar 9.2.1 fixes bugs in gvar.load and gvar.dump caused by recent security upgrades to pyYAML.",
            "cve": null,
            "id": "pyup.io-37809",
            "specs": [
                "<9.2.1"
            ],
            "v": "<9.2.1"
        }
    ],
    "heedy": [
        {
            "advisory": "Heedy 0.3.0a1 reports it its changelog: There might [...] be security issues. Use at your own risk.",
            "cve": null,
            "id": "pyup.io-37687",
            "specs": [
                "<0.3.0a1"
            ],
            "v": "<0.3.0a1"
        }
    ],
    "henosis": [
        {
            "advisory": "henosis before 0.0.11 included a vulnerability that was opened by using `yaml.load` as opposed to `yaml.safe_load` ([issue 22](https://github.com/vc1492a/henosis/issues/22)).",
            "cve": null,
            "id": "pyup.io-36303",
            "specs": [
                "<0.0.11"
            ],
            "v": "<0.0.11"
        }
    ],
    "holocron": [
        {
            "advisory": "holocron 0.2.0 fixed a security issue when content author may steal private data through content's meta header.",
            "cve": null,
            "id": "pyup.io-25844",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "homeassistant": [
        {
            "advisory": "homeassistant before 0.37 uses a weak random number generator to create access tokens for camera feeds which could be brute force attacked in 2.5 weeks",
            "cve": null,
            "id": "pyup.io-34222",
            "specs": [
                "<0.37"
            ],
            "v": "<0.37"
        },
        {
            "advisory": "homeassistant before 0.73.2 and >=0.56 is vulnerable to a man in the middle attack since SSL verification was disabled for **outgoing** requests that were done using the shared aiohttp session.",
            "cve": null,
            "id": "pyup.io-36326",
            "specs": [
                ">=0.56,<0.73.2"
            ],
            "v": ">=0.56,<0.73.2"
        },
        {
            "advisory": "The markdown renderer in homeassistant 0.98 is vulnerable to an XSS attack if exposed to specially crafted markdown. This was fixed in 0.98.5. See: <https://github.com/home-assistant/home-assistant-polymer/pull/3640>.",
            "cve": null,
            "id": "pyup.io-37453",
            "specs": [
                ">=0.98,<0.98.5"
            ],
            "v": ">=0.98,<0.98.5"
        }
    ],
    "hpack": [
        {
            "advisory": "A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.",
            "cve": "CVE-2016-6580",
            "id": "pyup.io-35679",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        },
        {
            "advisory": "A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called \"HPACK Bomb\" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests to expand that field in the dynamic table. This can lead to a gigantic compression ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of data on the target machine.",
            "cve": "CVE-2016-6581",
            "id": "pyup.io-35680",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "hpim-dm": [
        {
            "advisory": "hpim-dm 1.0 includes dissertation work and security implementation",
            "cve": null,
            "id": "pyup.io-37836",
            "specs": [
                "<1.0"
            ],
            "v": "<1.0"
        }
    ],
    "html5": [
        {
            "advisory": "html5 before 0.99999999 is vulnerable to a XSS attack. Upgrading avoids the XSS bug potentially caused by serializer allowing attribute values to be escaped out of in old browser versions, changing the quote_attr_values option on serializer to take one of three values, \"always\" (the old True value), \"legacy\" (the new option,  and the new default), and \"spec\" (the old False value, and the old default).",
            "cve": null,
            "id": "pyup.io-25845",
            "specs": [
                "<0.99999999"
            ],
            "v": "<0.99999999"
        }
    ],
    "html5lib": [
        {
            "advisory": "The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.",
            "cve": "CVE-2016-9909",
            "id": "pyup.io-35693",
            "specs": [
                "<0.99999999"
            ],
            "v": "<0.99999999"
        },
        {
            "advisory": "The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909.",
            "cve": "CVE-2016-9910",
            "id": "pyup.io-35694",
            "specs": [
                "<0.99999999"
            ],
            "v": "<0.99999999"
        },
        {
            "advisory": "html5lib before 0.99999999 is vulnerable to a XSS attack. Upgrading avoids the XSS bug potentially caused by serializer allowing attribute values to be escaped out of in old browser versions, changing the quote_attr_values option on serializer to take one of three values, \"always\" (the old True value), \"legacy\" (the new option,  and the new default), and \"spec\" (the old False value, and the old default).",
            "cve": null,
            "id": "pyup.io-25846",
            "specs": [
                "<0.99999999",
                ">1.0,<1.0b8"
            ],
            "v": "<0.99999999,>1.0,<1.0b8"
        }
    ],
    "httpauth": [
        {
            "advisory": "httpauth 0.2 fixes a security issue: Invalid username + empty password were being accepted.",
            "cve": null,
            "id": "pyup.io-25847",
            "specs": [
                "<0.2"
            ],
            "v": "<0.2"
        }
    ],
    "httpie": [
        {
            "advisory": "Httpie 1.0.3 fixes CVE-2019-10751. The way the output filename is generated for ``--download`` requests without ``--output`` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. See: <https://github.com/jakubroztocil/httpie/releases/tag/1.0.3>.",
            "cve": "CVE-2019-10751",
            "id": "pyup.io-37405",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        }
    ],
    "httplib2": [
        {
            "advisory": "httplib2 before and including 0.9.2 on \"SSL certificate hostname mismatch\" it is checked only once: https://github.com/httplib2/httplib2/issues/5",
            "cve": null,
            "id": "pyup.io-25848",
            "specs": [
                "<=0.9.2"
            ],
            "v": "<=0.9.2"
        }
    ],
    "httprunner": [
        {
            "advisory": "httprunner 2.0.5 fixes xss in response json",
            "cve": null,
            "id": "pyup.io-36945",
            "specs": [
                "<2.0.5"
            ],
            "v": "<2.0.5"
        },
        {
            "advisory": "httprunner 2.1.3 changes: replace eval mechanism with builtins to prevent security vulnerabilities",
            "cve": null,
            "id": "pyup.io-37216",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        }
    ],
    "httpsig": [
        {
            "advisory": "httpsig 1.0.0 removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.",
            "cve": null,
            "id": "pyup.io-25849",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "httpsig-cffi": [
        {
            "advisory": "httpsig-cffi 1.0.0 removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.",
            "cve": null,
            "id": "pyup.io-25850",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "hug": [
        {
            "advisory": "hug 2.3.0 fixes a vulnerability in the static file router that allows files in parent directory to be accessed.",
            "cve": null,
            "id": "pyup.io-34472",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "humblesetuptools": [
        {
            "advisory": "humblesetuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.",
            "cve": null,
            "id": "pyup.io-25851",
            "specs": [
                "<0.9.5"
            ],
            "v": "<0.9.5"
        },
        {
            "advisory": "humblesetuptools 1.3 adresses a security vulnerability in SSL match_hostname check as reported in  Python #17997.",
            "cve": null,
            "id": "pyup.io-25852",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        }
    ],
    "hydroshare": [
        {
            "advisory": "hydroshare before 1.9.5 has multiple - undisclosed - security issues.",
            "cve": null,
            "id": "pyup.io-34264",
            "specs": [
                "<1.9.5"
            ],
            "v": "<1.9.5"
        },
        {
            "advisory": "hydroshare before 1.9.6 has multiple - undisclosed - security issues.",
            "cve": null,
            "id": "pyup.io-34265",
            "specs": [
                "<1.9.6"
            ],
            "v": "<1.9.6"
        }
    ],
    "ib-client": [
        {
            "advisory": "Ib-client 0.1.2 updates packages (especially Jinja2 which had a vulnerability in version 2.10).",
            "cve": null,
            "id": "pyup.io-37047",
            "specs": [
                "<0.1.2"
            ],
            "v": "<0.1.2"
        }
    ],
    "im": [
        {
            "advisory": "Im 1.5.0 removes the use of non-secure Pickle data.",
            "cve": null,
            "id": "pyup.io-37434",
            "specs": [
                "1.5.0"
            ],
            "v": "1.5.0"
        },
        {
            "advisory": "im before 1.5.0 removes use of insecure Pickle data.",
            "cve": null,
            "id": "pyup.io-36819",
            "specs": [
                "<1.5.0"
            ],
            "v": "<1.5.0"
        }
    ],
    "imageio": [
        {
            "advisory": "imageio 2.6.0 fixes a security vulnerability for Windows users that have dcmtk installed, and where an attacker can set the filename",
            "cve": null,
            "id": "pyup.io-37902",
            "specs": [
                "<2.6.0"
            ],
            "v": "<2.6.0"
        }
    ],
    "indico": [
        {
            "advisory": "indico before 2.0.2 uses a insecure transitive dependency (bleach).",
            "cve": null,
            "id": "pyup.io-35802",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        },
        {
            "advisory": "Indico 2.0.3 no longer shows contribution information (metadata including title, speakers and a partial description) in the contribution list unless the user has access to a contribution.",
            "cve": null,
            "id": "pyup.io-37568",
            "specs": [
                ">=2.0.0,<2.0.3"
            ],
            "v": ">=2.0.0,<2.0.3"
        },
        {
            "advisory": "Indico 2.1.11 fixes more places where LaTeX input was not correctly sanitized. While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.",
            "cve": null,
            "id": "pyup.io-37570",
            "specs": [
                ">=2.1.0,<2.1.11"
            ],
            "v": ">=2.1.0,<2.1.11"
        },
        {
            "advisory": "Indico 2.1.3\r\n- Only returns timetable entries for the current session when updating a session through the timetable (issue 3474)\r\n- Prevents session managers/coordinators from modifying certain timetable entries or scheduling contributions not assigned to their session\r\n- Restricts access to timetable entry details to users who are authorized to see them",
            "cve": null,
            "id": "pyup.io-34153",
            "specs": [
                ">=2.1.0,<2.1.3"
            ],
            "v": ">=2.1.0,<2.1.3"
        },
        {
            "advisory": "Indico 2.2.3 and 2.1.10\r\n- Strip ``@``, ``+``, ``-`` and ``=`` from the beginning of strings when exporting CSV files to avoid security issues when opening the CSV file in Excel.\r\n- Use 027 instead of 000 umask when temporarily changing it to get the current umask.\r\n- Fix LaTeX sanitization to prevent malicious users from running unsafe LaTeX commands through specially crafted abstracts or contribution descriptions, which could lead to the disclosure of local file contents.",
            "cve": null,
            "id": "pyup.io-37567",
            "specs": [
                ">=2.2.0,<2.2.3",
                ">=2.1.0,<2.1.10"
            ],
            "v": ">=2.2.0,<2.2.3,>=2.1.0,<2.1.10"
        },
        {
            "advisory": "Indico 2.2.4 fixes more places where LaTeX input was not correctly sanitized. While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.",
            "cve": null,
            "id": "pyup.io-37569",
            "specs": [
                ">=2.2.0,<2.2.4"
            ],
            "v": ">=2.2.0,<2.2.4"
        }
    ],
    "insecure-package": [
        {
            "advisory": "This is an insecure package with lots of exploitable security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-25853",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "inspetor": [
        {
            "advisory": "Inspetor 2.3.1 updates `sprockets` in `Gemfile.lock` to fix security warnings.",
            "cve": null,
            "id": "pyup.io-37343",
            "specs": [
                "<2.3.1"
            ],
            "v": "<2.3.1"
        }
    ],
    "instana": [
        {
            "advisory": "Instana 1.20.2 upgrades the `event-loop-lag` because of security vulnerabilities in its dependency tree.",
            "cve": null,
            "id": "pyup.io-34809",
            "specs": [
                "<1.20.2"
            ],
            "v": "<1.20.2"
        },
        {
            "advisory": "Instana 1.36.1 upgrades the `event-loop-lag` to address a security vulnerability. See: <https://nodesecurity.io/advisories/534>.",
            "cve": null,
            "id": "pyup.io-37188",
            "specs": [
                "<1.36.1"
            ],
            "v": "<1.36.1"
        },
        {
            "advisory": "Instana 1.37.1 switches to `@risingstack/v8-profiler` due to security issues in the transitive dependencies of `v8-profiler`.",
            "cve": null,
            "id": "pyup.io-37187",
            "specs": [
                "<1.37.1"
            ],
            "v": "<1.37.1"
        }
    ],
    "invenio": [
        {
            "advisory": "invenio 1.0.2 includes fixes for several undisclosed XSS vulnerabilities.",
            "cve": null,
            "id": "pyup.io-25854",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        },
        {
            "advisory": "invenio 1.1.2 fixes a undisclosed XSS vulnerability.",
            "cve": null,
            "id": "pyup.io-25855",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "invenio-admin": [
        {
            "advisory": "invenio-admin 1.1.1 has the minimum version of Flask-Admin bumped to v1.5.3 due to Cross-Site Scripting\r\n  vulnerability in previous versions.",
            "cve": null,
            "id": "pyup.io-36759",
            "specs": [
                "<1.0.1",
                "==1.1.0"
            ],
            "v": "<1.0.1,==1.1.0"
        },
        {
            "advisory": "invenio-admin 1.1.1 bumps Flask-Admin to v1.5.3 due to Cross-Site Scripting vulnerability in previous versions",
            "cve": null,
            "id": "pyup.io-38011",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        }
    ],
    "invenio-app": [
        {
            "advisory": "Invenio-app 1.1.1 fixes a security issue where APP_ALLOWED_HOSTS was not always being checked, and thus could allow host header injection attacks.",
            "cve": null,
            "id": "pyup.io-37311",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        }
    ],
    "invenio-records": [
        {
            "advisory": "Invenio-records 1.0.2 fixes a XSS vulnerability in the admin interface.",
            "cve": null,
            "id": "pyup.io-37322",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "invenio-search": [
        {
            "advisory": "invenio-search 0.1.3 fixes a potential XSS issues by changing search flash messages template so that they are not displayed as safe HTML by default.",
            "cve": null,
            "id": "pyup.io-25856",
            "specs": [
                "<0.1.3"
            ],
            "v": "<0.1.3"
        }
    ],
    "ipwb": [
        {
            "advisory": "ipwb 0.2018.08.29.1434 updates Flask use in ipwb replay due to a security vulnerability.",
            "cve": null,
            "id": "pyup.io-36492",
            "specs": [
                "<0.2018.08.29.1434"
            ],
            "v": "<0.2018.08.29.1434"
        },
        {
            "advisory": "Ipwb 0.2019.07.26.1435 updates Flask for replay to the latest version to address a security vulnerability in an older versions.",
            "cve": null,
            "id": "pyup.io-37304",
            "specs": [
                "<0.2019.07.26.1435"
            ],
            "v": "<0.2019.07.26.1435"
        }
    ],
    "ipython": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name.  NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.",
            "cve": "CVE-2015-6938",
            "id": "pyup.io-33132",
            "specs": [
                "<3.2.2"
            ],
            "v": "<3.2.2"
        },
        {
            "advisory": "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.",
            "cve": "CVE-2015-7337",
            "id": "pyup.io-33133",
            "specs": [
                "<3.2.2"
            ],
            "v": "<3.2.2"
        }
    ],
    "irc3": [
        {
            "advisory": "irc3 before 0.4.4 is vulnerable to several undisclosed security issues.",
            "cve": null,
            "id": "pyup.io-25859",
            "specs": [
                "<0.4.4"
            ],
            "v": "<0.4.4"
        }
    ],
    "ironic-discoverd": [
        {
            "advisory": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
            "cve": "CVE-2015-5306",
            "id": "pyup.io-25860",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "ironic-inspector": [
        {
            "advisory": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.",
            "cve": "CVE-2015-5306",
            "id": "pyup.io-25861",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "iso6709": [
        {
            "advisory": "iso6709 0.1.4 bumped development versions for security fixes",
            "cve": null,
            "id": "pyup.io-37250",
            "specs": [
                "<0.1.4"
            ],
            "v": "<0.1.4"
        }
    ],
    "isso": [
        {
            "advisory": "isso 0.6 fixes a cross-site request forgery vulnerability for comment creation, voting, editing and deletion.",
            "cve": null,
            "id": "pyup.io-25862",
            "specs": [
                "<0.6"
            ],
            "v": "<0.6"
        }
    ],
    "isso-cn": [
        {
            "advisory": "Isso-cn 0.6 fixes a cross-site request forgery vulnerability for comment creation, voting, editing and deletion.",
            "cve": null,
            "id": "pyup.io-37714",
            "specs": [
                "<0.6"
            ],
            "v": "<0.6"
        },
        {
            "advisory": "Isso-cn 0.7 fixes a malicious HTML injection (due to wrong API usage). All unknown/unsafe HTML tags are now removed from the output (`html5lib` 0.99(9) or later) or properly escaped (older `html5lib` versions).",
            "cve": null,
            "id": "pyup.io-37713",
            "specs": [
                "<0.7"
            ],
            "v": "<0.7"
        }
    ],
    "jarbas-utils": [
        {
            "advisory": "jarbas-utils 0.5.1 casts encryption key to bytes",
            "cve": null,
            "id": "pyup.io-37883",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "jinja": [
        {
            "advisory": "jinja 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems.  See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.",
            "cve": null,
            "id": "pyup.io-25863",
            "specs": [
                "<2.7.2"
            ],
            "v": "<2.7.2"
        },
        {
            "advisory": "jinja 2.7.3 fixes a security issue: Corrected the security fix for the cache folder.",
            "cve": null,
            "id": "pyup.io-25864",
            "specs": [
                "<2.7.3"
            ],
            "v": "<2.7.3"
        }
    ],
    "jinja2": [
        {
            "advisory": "jinja2 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems.  See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.",
            "cve": null,
            "id": "pyup.io-25865",
            "specs": [
                "<2.7.2"
            ],
            "v": "<2.7.2"
        },
        {
            "advisory": "The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.",
            "cve": "CVE-2014-1402",
            "id": "pyup.io-25866",
            "specs": [
                "<2.7.3"
            ],
            "v": "<2.7.3"
        }
    ],
    "jnitrace": [
        {
            "advisory": "Jnitrace 1.0.6 bumps version of minimilist to fix vulnerability CVE-2020-7598.",
            "cve": "CVE-2020-7598",
            "id": "pyup.io-38061",
            "specs": [
                "<1.0.6"
            ],
            "v": "<1.0.6"
        },
        {
            "advisory": "Jnitrace 2.2.1 upgrades eslint-package to patch security vulnerability.",
            "cve": null,
            "id": "pyup.io-37427",
            "specs": [
                "<2.2.1"
            ],
            "v": "<2.2.1"
        },
        {
            "advisory": "Jnitrace 3.0.5 bumps version of acorn to 7.1.1 to fix vulnerability CVE-2020-7598.",
            "cve": "CVE-2020-7598",
            "id": "pyup.io-38060",
            "specs": [
                "<3.0.5"
            ],
            "v": "<3.0.5"
        }
    ],
    "jose": [
        {
            "advisory": "jose 0.3.0 fixed critical JWT vulnerability.",
            "cve": null,
            "id": "pyup.io-25867",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "js-videojs": [
        {
            "advisory": "js-videojs  4.12.5 updates videojs-swf to v4.5.4 to fix a potential security issue ([view](https://github.com/videojs/video.js/pull/1955)",
            "cve": null,
            "id": "pyup.io-36130",
            "specs": [
                "<4.12.5"
            ],
            "v": "<4.12.5"
        }
    ],
    "jsonrpc-pyclient": [
        {
            "advisory": "jsonrpc-pyclient 0.7.0 fixes security issues in unixdomainsocket connectors.",
            "cve": null,
            "id": "pyup.io-25869",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "jumpssh": [
        {
            "advisory": "Jumpssh 1.6.3 removes pytest-runner from setup_requires as this is deprecated for security reasons, see https://github.com/pytest-dev/pytest-runner",
            "cve": null,
            "id": "pyup.io-38051",
            "specs": [
                "<1.6.3"
            ],
            "v": "<1.6.3"
        }
    ],
    "junos-eznc": [
        {
            "advisory": "Junos-eznc 2.2.1 fixes PyYAML as per CVE-2017-18342.",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-37081",
            "specs": [
                "<2.2.1"
            ],
            "v": "<2.2.1"
        }
    ],
    "jupyter-nbrequirements": [
        {
            "advisory": "Jupyter-nbrequirements 0.6.0 bumps bleach from 3.1.0 to 3.1.1 because it provides better security.",
            "cve": null,
            "id": "pyup.io-38077",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "jwql": [
        {
            "advisory": "Jwql 0.16.0 updates ``django`` to fix security issues.",
            "cve": null,
            "id": "pyup.io-37148",
            "specs": [
                "<0.16.0"
            ],
            "v": "<0.16.0"
        }
    ],
    "kafkacrypto": [
        {
            "advisory": "Kafkacrypto 0.9.5 includes one low severity security fix identified during the crypto review.",
            "cve": null,
            "id": "pyup.io-37515",
            "specs": [
                "<0.9.5"
            ],
            "v": "<0.9.5"
        },
        {
            "advisory": "Kafkacrypto 0.9.8 includes:\r\n-  Implementation of allowlist and denylists. This removes the need for separate code pathways for root of trusts, enabling them to be treated as entries in allowlist.\r\n- Implementation of automatic processing of messages to adjust allowlists, denylists, and chains. This enables very short chain lifetimes, a security benefit. It also enables a private key to self-sign that it should be revoked.\r\n- Implementation of a pathlength constraint for further tightening of chains. Minimum usable value is typically 1, unless the end of the chain will not sign any further messages.\r\n- Fix kafka wrapper poll implementation to make the timeout optional.",
            "cve": null,
            "id": "pyup.io-37560",
            "specs": [
                "<0.9.8"
            ],
            "v": "<0.9.8"
        }
    ],
    "kalliope": [
        {
            "advisory": "kalliope 0.5.3 update request lib to fix security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-36808",
            "specs": [
                "<0.5.3"
            ],
            "v": "<0.5.3"
        }
    ],
    "katal": [
        {
            "advisory": "katal before 0.0.6 uses eval() internally.",
            "cve": null,
            "id": "pyup.io-34247",
            "specs": [
                "<0.0.6"
            ],
            "v": "<0.0.6"
        }
    ],
    "katka-core": [
        {
            "advisory": "katka-core 0.11.0 decreases the amount of gaping security holes",
            "cve": null,
            "id": "pyup.io-36914",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        }
    ],
    "kaze-python": [
        {
            "advisory": "kaze-python 0.6.5 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.",
            "cve": null,
            "id": "pyup.io-36494",
            "specs": [
                "<0.6.5"
            ],
            "v": "<0.6.5"
        },
        {
            "advisory": "kaze-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.",
            "cve": null,
            "id": "pyup.io-36493",
            "specs": [
                "<0.7.8"
            ],
            "v": "<0.7.8"
        }
    ],
    "kdcproxy": [
        {
            "advisory": "python-kdcproxy before 0.3.2 allows remote attackers to cause a denial of service via a large POST request.",
            "cve": "CVE-2015-5159",
            "id": "pyup.io-36597",
            "specs": [
                "<0.3.2"
            ],
            "v": "<0.3.2"
        }
    ],
    "kedro-viz": [
        {
            "advisory": "Kedro-viz 2.1.0 fixes an infosec vulnerability in LoDash (16).",
            "cve": null,
            "id": "pyup.io-37353",
            "specs": [
                "<2.1.0"
            ],
            "v": "<2.1.0"
        },
        {
            "advisory": "Kedro-viz 3.0.0 includes a Snyk fix for one, unspecified vulnerability.",
            "cve": null,
            "id": "pyup.io-37615",
            "specs": [
                "<3.0.0"
            ],
            "v": "<3.0.0"
        }
    ],
    "keyring": [
        {
            "advisory": "Python keyring lib before 0.10 created keyring files with world-readable permissions. See: CVE-2012-5577.",
            "cve": "CVE-2012-5577",
            "id": "pyup.io-37610",
            "specs": [
                "<0.10"
            ],
            "v": "<0.10"
        },
        {
            "advisory": "Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.",
            "cve": "CVE-2012-4571",
            "id": "pyup.io-25870",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        },
        {
            "advisory": "Python keyring has insecure permissions on new databases allowing world-readable files to be created. See: CVE-2012-5578.",
            "cve": "CVE-2012-5578",
            "id": "pyup.io-37743",
            "specs": [
                "<=0.10"
            ],
            "v": "<=0.10"
        }
    ],
    "keystonemiddleware": [
        {
            "advisory": "The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.",
            "cve": "CVE-2015-7546",
            "id": "pyup.io-25871",
            "specs": [
                "<1.5.4",
                ">=2.0,<2.3.3"
            ],
            "v": "<1.5.4,>=2.0,<2.3.3"
        },
        {
            "advisory": "The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.",
            "cve": "CVE-2015-1852",
            "id": "pyup.io-25872",
            "specs": [
                "<1.6.0"
            ],
            "v": "<1.6.0"
        }
    ],
    "khoros": [
        {
            "advisory": "Khoros 2.3.1 updates requirements.txt to use Bleach to version 3.1.1 to mitigate a security alert  for a mutation XSS vulnerability. See: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r",
            "cve": null,
            "id": "pyup.io-37961",
            "specs": [
                "<2.3.1"
            ],
            "v": "<2.3.1"
        }
    ],
    "khorosjx": [
        {
            "advisory": "khorosjx 2.3.1 upgrades the bleach package to version 3.1.1 to mitigate an XSS security issue",
            "cve": null,
            "id": "pyup.io-37935",
            "specs": [
                "<2.3.1"
            ],
            "v": "<2.3.1"
        }
    ],
    "kinto": [
        {
            "advisory": "kinto 12.0.2\r\n **security**: Fix a pagination bug in the PostgreSQL backend that could leak records between collections",
            "cve": null,
            "id": "pyup.io-36841",
            "specs": [
                "<12.0.2"
            ],
            "v": "<12.0.2"
        },
        {
            "advisory": "kinto 13.0.0 **security**: Fix a pagination bug in the PostgreSQL backend that could leak records between collections",
            "cve": null,
            "id": "pyup.io-36840",
            "specs": [
                "<13.0.0"
            ],
            "v": "<13.0.0"
        },
        {
            "advisory": "kinto 5.1.0 replaced insecure use of ``random.random()`` and ``random.choice(...)`` with more secure ``random.SystemRandom().random()`` and ``random.SystemRandom().choice(...)``.",
            "cve": null,
            "id": "pyup.io-25873",
            "specs": [
                "<5.1.0"
            ],
            "v": "<5.1.0"
        }
    ],
    "kinto-dist": [
        {
            "advisory": "Signer parameters in kinto-dist before 15.0.2 were displayed in capabilities. This was a security concern.",
            "cve": null,
            "id": "pyup.io-37169",
            "specs": [
                "<15.0.2"
            ],
            "v": "<15.0.2"
        },
        {
            "advisory": "Kinto-dist 17.0.0 fixes a pagination bug in the PostgreSQL backend that could leak records between collections.",
            "cve": null,
            "id": "pyup.io-36153",
            "specs": [
                "<17.0.0"
            ],
            "v": "<17.0.0"
        },
        {
            "advisory": "Kinto-dist between 6.0.0 and 6.0.2 included Kinto 8.2.0 where the `account` plugin had a security flaw where the password wasn't verified during the session duration.",
            "cve": null,
            "id": "pyup.io-36291",
            "specs": [
                ">=6.0.0,<=6.0.2"
            ],
            "v": ">=6.0.0,<=6.0.2"
        }
    ],
    "kiwitcms": [
        {
            "advisory": "Kiwitcms 6.0 updates to Django 2.1.2 (due to a high severity security issue) and to Patternfly 3.54.8.",
            "cve": null,
            "id": "pyup.io-36649",
            "specs": [
                "<6.0"
            ],
            "v": "<6.0"
        },
        {
            "advisory": "Kiwi TCMS 8.1 prevents an XSS attack via tags by having the JSON-RPC handler escape all HTML strings. Additionally, it updates Django from 3.0.3 to 3.0.4, which fixes security issue CVE-2020-9402.",
            "cve": "CVE-2020-9402",
            "id": "pyup.io-37503",
            "specs": [
                "<8.1"
            ],
            "v": "<8.1"
        }
    ],
    "knowledge-repo": [
        {
            "advisory": "knowledge-repo 0.8.0 removed two security vulnerabilities associated with arbitrary code execution from code stored in knowledge repositories on both clients and servers via knowledge repository configuration and embedded tooling.",
            "cve": null,
            "id": "pyup.io-36510",
            "specs": [
                "<0.8.0"
            ],
            "v": "<0.8.0"
        }
    ],
    "kotti": [
        {
            "advisory": "kotti 1.3.2 fixes a CSRF (Cross Site Request Forgery) security vulnerablity which was reported in 551. You should upgrade your installations ASAP.",
            "cve": null,
            "id": "pyup.io-36142",
            "specs": [
                "<1.3.2"
            ],
            "v": "<1.3.2"
        }
    ],
    "kuber": [
        {
            "advisory": "Kuber 10.0.1 bumps the urllib3 version to pick up security fix for CVE-2019-11324.",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-38099",
            "specs": [
                "<10.0.1"
            ],
            "v": "<10.0.1"
        },
        {
            "advisory": "kuber 9.0.0a1 bumps urllib3 version to pick up security fix for CVE-2018-20060.",
            "cve": null,
            "id": "pyup.io-36979",
            "specs": [
                "<9.0.0a1"
            ],
            "v": "<9.0.0a1"
        }
    ],
    "kubernetes": [
        {
            "advisory": "kubernetes 7.0.1 bumps urllib3 version to pick up security fix for CVE-2018-20060 [kubernetes-client/python#707](https://github.com/kubernetes-client/python/pull/707)",
            "cve": null,
            "id": "pyup.io-36762",
            "specs": [
                "<7.0.1"
            ],
            "v": "<7.0.1"
        },
        {
            "advisory": "Kubernetes 10.0.1 Bumps urllib3 version to pick up security fix for CVE-2019-11324 - see: https://github.com/kubernetes-client/python/pull/897",
            "cve": null,
            "id": "pyup.io-38036",
            "specs": [
                ">=10.0,<10.0.1"
            ],
            "v": ">=10.0,<10.0.1"
        },
        {
            "advisory": "Kubernetes 8.0.1 Bumps urllib3 version to pick up security fix for CVE-2018-20060 - see: https://github.com/kubernetes-client/python/pull/707",
            "cve": "CVE-2018-20060",
            "id": "pyup.io-36761",
            "specs": [
                ">=8.0,<8.0.1"
            ],
            "v": ">=8.0,<8.0.1"
        },
        {
            "advisory": "Kubernetes 9.0.0a1 Bumps urllib3 version to pick up security fix for CVE-2018-20060 - see: https://github.com/kubernetes-client/python/pull/707",
            "cve": "CVE-2018-20060",
            "id": "pyup.io-36760",
            "specs": [
                ">=9.0,<9.0.0a1"
            ],
            "v": ">=9.0,<9.0.0a1"
        }
    ],
    "kubernetes-asyncio": [
        {
            "advisory": "kubernetes-asyncio 8.0.3 uses `yaml.safe_load`, `yaml.safe_dump` for security reasons.",
            "cve": null,
            "id": "pyup.io-36777",
            "specs": [
                "<8.0.3"
            ],
            "v": "<8.0.3"
        }
    ],
    "kubetest": [
        {
            "advisory": "Kubetest 0.1.0 updates the pyyaml version for security reasons. See: CVE-2017-18342.",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-37070",
            "specs": [
                "<0.1.0"
            ],
            "v": "<0.1.0"
        }
    ],
    "kytos": [
        {
            "advisory": "kytos 2019.1b3 change: Changed some dependencies versions in order to fix security bugs",
            "cve": null,
            "id": "pyup.io-37226",
            "specs": [
                "<2019.1b3"
            ],
            "v": "<2019.1b3"
        }
    ],
    "kytos-utils": [
        {
            "advisory": "kytos-utils 2019.1b3 change: Updated requirements versions in order to fix some security bugs",
            "cve": null,
            "id": "pyup.io-37225",
            "specs": [
                "<2019.1b3"
            ],
            "v": "<2019.1b3"
        }
    ],
    "lambda-tools": [
        {
            "advisory": "lambda-tools before 0.1.2 used an unsafe way to load untrusted lambda definitions via `yaml.load`.",
            "cve": null,
            "id": "pyup.io-35209",
            "specs": [
                "<0.1.2"
            ],
            "v": "<0.1.2"
        }
    ],
    "lambda-warmer-py": [
        {
            "advisory": "Lambda-warmer-py 1.2.0 upgrades the lodash dependency for security issues [131577c].",
            "cve": null,
            "id": "pyup.io-37371",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "lambdajson": [
        {
            "advisory": "lambdajson 0.1.5 includes a security fix. Using ast.literal_eval as eval.",
            "cve": null,
            "id": "pyup.io-25874",
            "specs": [
                "<0.1.5"
            ],
            "v": "<0.1.5"
        }
    ],
    "lapdog": [
        {
            "advisory": "Lapdog 0.18.7 improves API security by switching to custom Lapdog OAuth tokens. Currently this is only supported by Broad accounts. Non-broad accounts will continue to use standard Google application-default credentials when authenticating through the Lapdog API.",
            "cve": null,
            "id": "pyup.io-37597",
            "specs": [
                "<0.18.7"
            ],
            "v": "<0.18.7"
        }
    ],
    "launchdarkly-server-sdk": [
        {
            "advisory": "Setting `verify_ssl` to `False` in the client configuration of launchdarkly-server-sdk before 6.12.2 did not have the expected effect of completely turning off SSL/TLS verification, because it still left _certificate_ verification in effect, so it would allow a totally insecure connection but reject a secure connection whose certificate had an unknown CA. This has been changed so that it will turn off certificate verification as well. This is not a recommended practice and a future version of the SDK will add a way to specify a custom certificate authority instead (to support, for instance, using the Relay Proxy with a self-signed certificate).",
            "cve": null,
            "id": "pyup.io-38082",
            "specs": [
                "<6.12.2"
            ],
            "v": "<6.12.2"
        }
    ],
    "ldap3": [
        {
            "advisory": "ldap3 before 0.9.5.4 has several security issues in lazy connections.",
            "cve": null,
            "id": "pyup.io-25875",
            "specs": [
                "<0.9.5.4"
            ],
            "v": "<0.9.5.4"
        },
        {
            "advisory": "ldap3 2.4 includes a security fix in the rebind() method of the Connection object.",
            "cve": null,
            "id": "pyup.io-35053",
            "specs": [
                "<2.4"
            ],
            "v": "<2.4"
        }
    ],
    "lemur": [
        {
            "advisory": "lemur 0.1.5 switched from use a AES static key to Fernet encryption.",
            "cve": null,
            "id": "pyup.io-25876",
            "specs": [
                "<0.1.5"
            ],
            "v": "<0.1.5"
        }
    ],
    "libtaxii": [
        {
            "advisory": "libtaxii before 1.1.105 has multiple XML parsing related vulnerabilities.",
            "cve": null,
            "id": "pyup.io-25877",
            "specs": [
                "<1.1.105"
            ],
            "v": "<1.1.105"
        }
    ],
    "lifx-control-panel": [
        {
            "advisory": "Lifx-control-panel 1.5.4 fixes a pretty major security exploit. It adds safe-scopes to all `eval()` calls.",
            "cve": null,
            "id": "pyup.io-37424",
            "specs": [
                "<1.5.4"
            ],
            "v": "<1.5.4"
        },
        {
            "advisory": "Lifx-control-panel 1.6.3 removes all `eval()` statements for security.",
            "cve": null,
            "id": "pyup.io-37423",
            "specs": [
                "<1.6.3"
            ],
            "v": "<1.6.3"
        },
        {
            "advisory": "lifx-control-panel 1.7.6:\r\n* Pyinstaller 3.6 fixes several security vulnerabilities \r\n* Updated other key repositories, increasing security and speed",
            "cve": null,
            "id": "pyup.io-37853",
            "specs": [
                "<1.7.6"
            ],
            "v": "<1.7.6"
        }
    ],
    "livefyre": [
        {
            "advisory": "livefyre before 2.0.3 uses a release of a transitive dependency with known security vulnerabilities  (PyJWT).",
            "cve": null,
            "id": "pyup.io-34170",
            "specs": [
                "<2.0.3"
            ],
            "v": "<2.0.3"
        }
    ],
    "locustio": [
        {
            "advisory": "locustio before 0.7 uses pickle.",
            "cve": null,
            "id": "pyup.io-25878",
            "specs": [
                "<0.7"
            ],
            "v": "<0.7"
        }
    ],
    "logilab-common": [
        {
            "advisory": "The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.",
            "cve": "CVE-2014-1839",
            "id": "pyup.io-35525",
            "specs": [
                "<0.61.0"
            ],
            "v": "<0.61.0"
        },
        {
            "advisory": "The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.",
            "cve": "CVE-2014-1838",
            "id": "pyup.io-35524",
            "specs": [
                "<0.61.0"
            ],
            "v": "<0.61.0"
        }
    ],
    "luckycharms": [
        {
            "advisory": "Luckycharms 0.5.2 upgrades some dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37144",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "luigi": [
        {
            "advisory": "luigi 2.1.1 fixes a security issue where malicious users can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).",
            "cve": null,
            "id": "pyup.io-34671",
            "specs": [
                "<2.1.1"
            ],
            "v": "<2.1.1"
        },
        {
            "advisory": "luigi before 2.7.5 allowed an xss attack using GET parameters, relying on the Jquery `append` function.",
            "cve": null,
            "id": "pyup.io-36315",
            "specs": [
                "<2.7.5"
            ],
            "v": "<2.7.5"
        }
    ],
    "lxml": [
        {
            "advisory": "Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.",
            "cve": "CVE-2014-3146",
            "id": "pyup.io-35549",
            "specs": [
                "<3.3.5"
            ],
            "v": "<3.3.5"
        }
    ],
    "maestral": [
        {
            "advisory": "Communication between the sync daemon and frontend (GUI or CLI) in maestral 0.4.1 is faster and more secure than in previous versions. Additionally, it uses Unix domain sockets instead of TCP/IP sockets for communication with daemon. This means that communication is lighter, faster and more secure (other users on the same PC  can no longer connect to your sync daemon).",
            "cve": null,
            "id": "pyup.io-37523",
            "specs": [
                "<0.4.1"
            ],
            "v": "<0.4.1"
        }
    ],
    "mailman": [
        {
            "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.",
            "cve": "CVE-2011-0707",
            "id": "pyup.io-25879",
            "specs": [
                "<2.1.14"
            ],
            "v": "<2.1.14"
        },
        {
            "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field.",
            "cve": "CVE-2010-3089",
            "id": "pyup.io-25880",
            "specs": [
                "<2.1.14rc1"
            ],
            "v": "<2.1.14rc1"
        },
        {
            "advisory": "Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name.",
            "cve": "CVE-2015-2775",
            "id": "pyup.io-25881",
            "specs": [
                "<2.1.20"
            ],
            "v": "<2.1.20"
        },
        {
            "advisory": "Unspecified vulnerability in Mailman before 2.1.28 has unknown impact and attack vectors.",
            "cve": "CVE-2018-13796",
            "id": "pyup.io-36319",
            "specs": [
                "<2.1.28"
            ],
            "v": "<2.1.28"
        },
        {
            "advisory": "Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.",
            "cve": "CVE-2018-0618",
            "id": "pyup.io-36348",
            "specs": [
                "<=2.1.26"
            ],
            "v": "<=2.1.26"
        }
    ],
    "mako": [
        {
            "advisory": "Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element.",
            "cve": "CVE-2010-2480",
            "id": "pyup.io-25882",
            "specs": [
                "<0.3.4"
            ],
            "v": "<0.3.4"
        }
    ],
    "mantissa": [
        {
            "advisory": "mantissa before 0.6.14 in xmantissa.webtheme allows access to arbitrary filesystem contents.",
            "cve": null,
            "id": "pyup.io-25883",
            "specs": [
                "<0.6.14"
            ],
            "v": "<0.6.14"
        }
    ],
    "markdown2": [
        {
            "advisory": "markdown2 before 1.0.1.14 has a security hole in the md5-hashing scheme for handling HTML  chunks during processing.",
            "cve": null,
            "id": "pyup.io-25884",
            "specs": [
                "<1.0.1.14"
            ],
            "v": "<1.0.1.14"
        },
        {
            "advisory": "Python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. See CVE-2009-3724.",
            "cve": "CVE-2009-3724",
            "id": "pyup.io-37735",
            "specs": [
                "<1.0.1.14"
            ],
            "v": "<1.0.1.14"
        },
        {
            "advisory": "markdown2 before 1.0.1.15 is vulnerable to a XSS attack via JavaScript injection in a carefully crafted image reference (usage of double-quotes in the URL).",
            "cve": null,
            "id": "pyup.io-25885",
            "specs": [
                "<1.0.1.15"
            ],
            "v": "<1.0.1.15"
        },
        {
            "advisory": "An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag.",
            "cve": "CVE-2018-5773",
            "id": "pyup.io-35760",
            "specs": [
                "<2.3.5"
            ],
            "v": "<2.3.5"
        }
    ],
    "marshmallow": [
        {
            "advisory": "marshmallow 2.15.1 fixes behavior when an empty list is passed as the ``only`` argument. (CVE-2018-17175)",
            "cve": "CVE-2018-17175",
            "id": "pyup.io-36499",
            "specs": [
                "<2.15.1",
                "==3.0.0a1",
                "==3.0.0b1",
                "==3.0.0b2",
                "==3.0.0b3",
                "==3.0.0b4",
                "==3.0.0b5",
                "==3.0.0b6",
                "==3.0.0b7",
                "==3.0.0b8"
            ],
            "v": "<2.15.1,==3.0.0a1,==3.0.0b1,==3.0.0b2,==3.0.0b3,==3.0.0b4,==3.0.0b5,==3.0.0b6,==3.0.0b7,==3.0.0b8"
        },
        {
            "advisory": "In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema \"only\" option treats an empty list as implying no \"only\" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the \"only\" option, and there is a user role that produces an empty value for \"only\").",
            "cve": "CVE-2018-17175",
            "id": "pyup.io-36496",
            "specs": [
                "<2.15.1,>3.0.0,<3.0.0b9"
            ],
            "v": "<2.15.1,>3.0.0,<3.0.0b9"
        }
    ],
    "martypy": [
        {
            "advisory": "martypy 1.2 requests security issues in `requests` and `urllib3` dependencies",
            "cve": null,
            "id": "pyup.io-36739",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "matthisk-httpsig": [
        {
            "advisory": "matthisk-httpsig before 1.0.0 allowed reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.",
            "cve": null,
            "id": "pyup.io-25886",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "mautrix-telegram": [
        {
            "advisory": "Mautrix-telegram 0.6.0 fixes a vulnerability in event handling.",
            "cve": null,
            "id": "pyup.io-37432",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "maxminddb": [
        {
            "advisory": "maxminddb 1.1.2 includes a number of important security fixes. Among these fixes is improved validation of the database metadata. Unfortunately,  MaxMind GeoIP2 and GeoLite2 databases created earlier than January 28, 2014  had an invalid data type for the `record_size` in the metadata. Previously these databases worked on little endian machines with libmaxminddb but did not work on big endian machines. Due to increased safety checks when reading the file, these databases will no longer work on any platform. If you are using one of these databases, we recommend that you upgrade to the latest GeoLite2 or GeoIP2 database",
            "cve": null,
            "id": "pyup.io-25887",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "mdbackup": [
        {
            "advisory": "Mdbackup 0.2.0 comes with some bug fixes that made the utility more secure. It introduces the ``Vault secret backend``, where important data (like passwords) can be stored, and the ``File secret backend`` (a fallback secret backend) where secrets are read from the file system directly.",
            "cve": null,
            "id": "pyup.io-37725",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "megalib": [
        {
            "advisory": "Megalib 0.9.5alpha updates requirements.txt to fix a vulnerability.",
            "cve": null,
            "id": "pyup.io-37099",
            "specs": [
                "<0.9.5alpha"
            ],
            "v": "<0.9.5alpha"
        }
    ],
    "mercurial": [
        {
            "advisory": "In Mercurial before 4.1.3, \"hg serve --stdio\" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.",
            "cve": "CVE-2017-9462",
            "id": "pyup.io-35757",
            "specs": [
                "<4.1.3"
            ],
            "v": "<4.1.3"
        }
    ],
    "metadataproxy": [
        {
            "advisory": "metadataproxy before 1.1.1 has a flaw in the proxy functionality when used in passthrough mode that would expose the host's IAM role credentials when extra paths were added to the end of the security-credentials end-point. metadataproxy will now properly capture any call to iam/security-credentials/<role> and return the scoped credentials, rather than the host's credentials.",
            "cve": null,
            "id": "pyup.io-25888",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        }
    ],
    "mezzanine": [
        {
            "advisory": "mezzanine  4.3.0 fixes a potential security vulnerability in which the password reset url is exposed to untrusted intermediary nodes in the network.",
            "cve": null,
            "id": "pyup.io-36270",
            "specs": [
                "<4.3.0"
            ],
            "v": "<4.3.0"
        }
    ],
    "mgp2pdf": [
        {
            "advisory": "In mgp2pdf before 0.10 `%filter`` is enabled by default which is a security risk.",
            "cve": null,
            "id": "pyup.io-25889",
            "specs": [
                "<0.10"
            ],
            "v": "<0.10"
        }
    ],
    "mi": [
        {
            "advisory": "Mi 0.1 removes ``pyramid.session.signed_serialize``, and ``pyramid.session.signed_deserialize``. These methods were only used by the now-removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` and were coupled to the vulnerable pickle serialization format which could lead to remove code execution if the secret key is compromised. See: <https://github.com/Pylons/pyramid/pull/3412>.",
            "cve": null,
            "id": "pyup.io-38079",
            "specs": [
                "<0.1"
            ],
            "v": "<0.1"
        },
        {
            "advisory": "mi 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server.  The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.",
            "cve": null,
            "id": "pyup.io-37993",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        },
        {
            "advisory": "In mi before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the  generated ``development.ini``.  This was a security risk if left unchanged  in a project that used one of the templates to produce production applications.  It now uses a randomly generated string.",
            "cve": null,
            "id": "pyup.io-37982",
            "specs": [
                "<1.0a3"
            ],
            "v": "<1.0a3"
        },
        {
            "advisory": "The default Mako renderer in mi version 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by  rendering unsanitized input from users. To revert this behavior in user's  templates, they need to filter the expression through the 'n' filter.  For example, ${ myhtml | n }. See https://github.com/Pylons/pyramid/issues/193.",
            "cve": null,
            "id": "pyup.io-37979",
            "specs": [
                "<1.1a1"
            ],
            "v": "<1.1a1"
        },
        {
            "advisory": "The AuthTktAuthenticationPolicy before mi 1.3a1 did not use a timing-attack-aware string comparator.  See https://github.com/Pylons/pyramid/pull/320 for more info.",
            "cve": null,
            "id": "pyup.io-37974",
            "specs": [
                "<1.3a1"
            ],
            "v": "<1.3a1"
        },
        {
            "advisory": "Mi 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: <https://github.com/Pylons/pyramid/pull/1457>. Additionally, it avoids timing attacks against CSRF tokens. See: <https://github.com/Pylons/pyramid/pull/1574>.",
            "cve": null,
            "id": "pyup.io-38003",
            "specs": [
                "<1.6a1"
            ],
            "v": "<1.6a1"
        },
        {
            "advisory": "mi 1.6a2 further fixes the JSONP renderer by prefixing the returned content with  a comment. This should mitigate attacks from Flash (See CVE-2014-4671). See https://github.com/Pylons/pyramid/pull/1649",
            "cve": "CVE-2014-4671",
            "id": "pyup.io-38002",
            "specs": [
                "<1.6a2"
            ],
            "v": "<1.6a2"
        }
    ],
    "mini-amf": [
        {
            "advisory": "mini-amf before 0.8 is vulnerable to XML entity attacks.",
            "cve": null,
            "id": "pyup.io-33048",
            "specs": [
                "<0.8"
            ],
            "v": "<0.8"
        }
    ],
    "misago": [
        {
            "advisory": "misago 0.19.4 updates requests to 2.20.0 resolving potential vulnerability in HTTP connections handling.",
            "cve": null,
            "id": "pyup.io-36607",
            "specs": [
                "<0.19.4"
            ],
            "v": "<0.19.4"
        }
    ],
    "mishmash": [
        {
            "advisory": "mishmash 0.3b12 - Pyaml >= 4.2b1 for security alert.",
            "cve": null,
            "id": "pyup.io-36795",
            "specs": [
                "<0.3b12"
            ],
            "v": "<0.3b12"
        }
    ],
    "mistune": [
        {
            "advisory": "mistune before 0.7.2 is vulnerable to an XSS attack. It is possible to bypass the renderer's link security check.",
            "cve": null,
            "id": "pyup.io-25890",
            "specs": [
                "<0.7.2"
            ],
            "v": "<0.7.2"
        },
        {
            "advisory": "mistune before 0.8.1 has a cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py which allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.",
            "cve": "CVE-2017-16876",
            "id": "pyup.io-36332",
            "specs": [
                "<0.8.1"
            ],
            "v": "<0.8.1"
        },
        {
            "advisory": "Mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\\nscript:) or a crafted email address, related to the escape and autolink functions.",
            "cve": null,
            "id": "pyup.io-35030",
            "specs": [
                "==0.7.4"
            ],
            "v": "==0.7.4"
        }
    ],
    "mitmproxy": [
        {
            "advisory": "mitmproxy before 0.17 has a XSS vulnerability in HTTP errors.",
            "cve": null,
            "id": "pyup.io-25891",
            "specs": [
                "<0.17"
            ],
            "v": "<0.17"
        },
        {
            "advisory": "mitmproxy before 4.0.3 does not protect mitmweb against DNS rebinding.",
            "cve": "CVE-2018-14505",
            "id": "pyup.io-36353",
            "specs": [
                "<4.0.3"
            ],
            "v": "<4.0.3"
        },
        {
            "advisory": "mitmproxy before 4.0.4 does not protect mitmweb against DNS rebinding.",
            "cve": "CVE-2018-14505",
            "id": "pyup.io-36352",
            "specs": [
                "<4.0.4"
            ],
            "v": "<4.0.4"
        }
    ],
    "mitogen": [
        {
            "advisory": "Before mitogen version 0.2.8, unidirectional routing, where contexts may optionally only communicate with parents and never siblings (so that air-gapped networks cannot be unintentionally bridged) was not inherited when a child was initiated directly from another child. This did not effect Ansible, since the controller initiates any new child used for routing, only forked tasks are initiated by children [gh:commit:`5924af15`].",
            "cve": null,
            "id": "pyup.io-37381",
            "specs": [
                "<0.2.8"
            ],
            "v": "<0.2.8"
        }
    ],
    "mixminion": [
        {
            "advisory": "mixminion before 0.0.2 is vulnerable to certain trivial DoS attacks. In particular, it's possible to send zlib bombs or flood a server with open connections.",
            "cve": null,
            "id": "pyup.io-25892",
            "specs": [
                "<0.0.2"
            ],
            "v": "<0.0.2"
        }
    ],
    "mkdocs-material": [
        {
            "advisory": "mkdocs-material before 1.0.0 uses _blank targets on links which make it vulnerable to Cross Site Scripting attacks.",
            "cve": null,
            "id": "pyup.io-32121",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "mlalchemy": [
        {
            "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
            "cve": "CVE-2017-16615",
            "id": "pyup.io-35718",
            "specs": [
                "<0.2.2"
            ],
            "v": "<0.2.2"
        }
    ],
    "mockup": [
        {
            "advisory": "mockup before 2.1.3 has XSS vulnerability issues in structure and relateditem patterns.",
            "cve": null,
            "id": "pyup.io-25893",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        }
    ],
    "moin": [
        {
            "advisory": "The password_checker function in config/multiconfig.py in MoinMoin 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.",
            "cve": "CVE-2008-6549",
            "id": "pyup.io-25894",
            "specs": [
                "<1.6.1"
            ],
            "v": "<1.6.1"
        },
        {
            "advisory": "moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.",
            "cve": null,
            "id": "pyup.io-36447",
            "specs": [
                "<1.9.10"
            ],
            "v": "<1.9.10"
        },
        {
            "advisory": "moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code, as well as CVE-2016-7146 and CVE-2016-9119.",
            "cve": null,
            "id": "pyup.io-36478",
            "specs": [
                "<1.9.10"
            ],
            "v": "<1.9.10"
        },
        {
            "advisory": "Moin 2.2.2 removes two cross-site scripting vulnerabilities reported by \"office\".",
            "cve": null,
            "id": "pyup.io-36475",
            "specs": [
                "<2.2.2"
            ],
            "v": "<2.2.2"
        }
    ],
    "mollie-api-python": [
        {
            "advisory": "mollie-api-python 2.0.4 updates requests to 2.20.0 because of a moderate severity vulnerability in versions prior to 2.20.0",
            "cve": null,
            "id": "pyup.io-36650",
            "specs": [
                "<2.0.4"
            ],
            "v": "<2.0.4"
        }
    ],
    "monero": [
        {
            "advisory": "Monero 0.10.0 includes a temporary patch (via a predefined user-agent) for the Cross-Site Request Forgery attack against monero-wallet-cli's RPC API.",
            "cve": null,
            "id": "pyup.io-37447",
            "specs": [
                "<0.10.0"
            ],
            "v": "<0.10.0"
        },
        {
            "advisory": "Monero 0.12.0.0 includes tweaked PoW to block DoS attacks from ASICs, as well as a way to securely erase keys from memory, for most cases, when no longer in use.",
            "cve": null,
            "id": "pyup.io-37446",
            "specs": [
                "<0.12.0.0"
            ],
            "v": "<0.12.0.0"
        },
        {
            "advisory": "Monero 0.9.1 includes a bug fix for the block 913193 attack, plus checkpoints.",
            "cve": null,
            "id": "pyup.io-37448",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        }
    ],
    "monoshape": [
        {
            "advisory": "Monoshape 1.2 updates Pillow version for security.",
            "cve": null,
            "id": "pyup.io-37605",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "mopidy-jellyfin": [
        {
            "advisory": "Mopidy-jellyfin 0.3.1 addresses a security vulnerability in one of its dependencies.",
            "cve": null,
            "id": "pyup.io-37281",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        }
    ],
    "morepath": [
        {
            "advisory": "morepath before 0.14 has no host header validation to protect against header poisoning attacks.",
            "cve": null,
            "id": "pyup.io-25895",
            "specs": [
                "<0.14"
            ],
            "v": "<0.14"
        }
    ],
    "mosql": [
        {
            "advisory": "mosql 0.10 includes several security related changes.",
            "cve": null,
            "id": "pyup.io-25896",
            "specs": [
                "<0.10"
            ],
            "v": "<0.10"
        }
    ],
    "mr.migrator": [
        {
            "advisory": "mr.migrator 1.2 fixes a form problem with security hotfix.",
            "cve": null,
            "id": "pyup.io-25897",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "msgpack": [
        {
            "advisory": "msgpack 0.6.0 contains some backward incompatible changes for security reason (DoS).",
            "cve": null,
            "id": "pyup.io-36700",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "mss": [
        {
            "advisory": "mss before 2.0.18 has a undisclosed security issue.",
            "cve": null,
            "id": "pyup.io-25898",
            "specs": [
                "<2.0.18"
            ],
            "v": "<2.0.18"
        }
    ],
    "mtga": [
        {
            "advisory": "mtga 2.0.0beta includes API security improvements & fixes.",
            "cve": null,
            "id": "pyup.io-36317",
            "specs": [
                "<2.0.0beta"
            ],
            "v": "<2.0.0beta"
        }
    ],
    "mtprotoproxy": [
        {
            "advisory": "mtprotoproxy before 1.0.0 has the potential to allow for passive detection given known string lengths.\r\nV1.0.0 now adds random paddings to prevent this.",
            "cve": null,
            "id": "pyup.io-36301",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        },
        {
            "advisory": "Mtprotoproxy 1.0.6 adds more protections from replay attacks.",
            "cve": null,
            "id": "pyup.io-37407",
            "specs": [
                "<1.0.6"
            ],
            "v": "<1.0.6"
        }
    ],
    "murano-dashboard": [
        {
            "advisory": "OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.",
            "cve": "CVE-2016-4972",
            "id": "pyup.io-25899",
            "specs": [
                ">=2.0,<2.0.1",
                "<1.0.3"
            ],
            "v": ">=2.0,<2.0.1,<1.0.3"
        }
    ],
    "mxnet": [
        {
            "advisory": "In mxnet before 1.0.0, mxnet listens on all available interfaces when running training in distributed mode.",
            "cve": null,
            "id": "pyup.io-35115",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "mysql-connector": [
        {
            "advisory": "Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python.",
            "cve": "CVE-2016-5598",
            "id": "pyup.io-25900",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        }
    ],
    "mysql-connector-python": [
        {
            "advisory": "Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python.",
            "cve": "CVE-2016-5598",
            "id": "pyup.io-25901",
            "specs": [
                "<2.0.4"
            ],
            "v": "<2.0.4"
        },
        {
            "advisory": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized access to critical data or complete access to all MySQL Connectors accessible data.",
            "cve": "CVE-2019-2435",
            "id": "pyup.io-36816",
            "specs": [
                "<=8.0.13"
            ],
            "v": "<=8.0.13"
        }
    ],
    "nanopb": [
        {
            "advisory": "Nanopb 0.2.8 fixes a security issue with PB_ENABLE_MALLOC.",
            "cve": null,
            "id": "pyup.io-37705",
            "specs": [
                "<0.2.8"
            ],
            "v": "<0.2.8"
        },
        {
            "advisory": "Nanopb 0.2.9.1 fixes a security issue due to size_t overflows.",
            "cve": null,
            "id": "pyup.io-37808",
            "specs": [
                "<0.2.9.1"
            ],
            "v": "<0.2.9.1"
        },
        {
            "advisory": "Nanopb before 0.3.1 fixes a security issue due to size_t overflows.",
            "cve": null,
            "id": "pyup.io-37704",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        },
        {
            "advisory": "Nanopb 0.2.9.1 and 0.3.1 fix a security issue due to size_t overflows (issue 132).",
            "cve": null,
            "id": "pyup.io-37706",
            "specs": [
                ">=0.3.0,<0.3.1",
                ">=0.2.0,<0.2.9.1"
            ],
            "v": ">=0.3.0,<0.3.1,>=0.2.0,<0.2.9.1"
        }
    ],
    "nba-scraper": [
        {
            "advisory": "Nba-scraper 0.2.7 removes a security flaw where it wasn't verifying SSL certificates during testing.",
            "cve": null,
            "id": "pyup.io-37142",
            "specs": [
                "<0.2.7"
            ],
            "v": "<0.2.7"
        }
    ],
    "nearbeach": [
        {
            "advisory": "Nearbeach 0.22.1 fixes several security issues in relation to Bandit, identified by Nearbeach as BUG491, BUG492, BUG493, BUG494, BUG495, BUG496, BUG497, and BUG498.",
            "cve": null,
            "id": "pyup.io-37602",
            "specs": [
                "<0.22.1"
            ],
            "v": "<0.22.1"
        }
    ],
    "neo-python": [
        {
            "advisory": "neo-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.",
            "cve": null,
            "id": "pyup.io-36441",
            "specs": [
                "<0.7.8"
            ],
            "v": "<0.7.8"
        }
    ],
    "netdumplings": [
        {
            "advisory": "Netdumplings 0.4.0 updates the websockets dependency to v7 to fix security warnings.",
            "cve": null,
            "id": "pyup.io-37208",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "newrelic": [
        {
            "advisory": "New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.",
            "cve": null,
            "id": "pyup.io-35805",
            "specs": [
                ">=1.1.0.192,<=2.106.0.87"
            ],
            "v": ">=1.1.0.192,<=2.106.0.87"
        }
    ],
    "newsletter": [
        {
            "advisory": "newsletter 0.1.17pre in newsletterapp is now more secure by default.  Does not setup default users for admin section.",
            "cve": null,
            "id": "pyup.io-25902",
            "specs": [
                "<0.1.17pre"
            ],
            "v": "<0.1.17pre"
        }
    ],
    "nfw": [
        {
            "advisory": "nfw before 0.0.7 is vulnerable to SQL-injection attacks.",
            "cve": null,
            "id": "pyup.io-32994",
            "specs": [
                "<0.0.7"
            ],
            "v": "<0.0.7"
        }
    ],
    "ngraph-mxnet": [
        {
            "advisory": "ngraph-mxnet 1.0.0 fixed a security bug that is causing MXNet to listen on all available interfaces when running training in distributed mode.",
            "cve": null,
            "id": "pyup.io-36701",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "nifcloud": [
        {
            "advisory": "Nifcloud 0.1.7 updates dependencies to fix a vulnerability.",
            "cve": null,
            "id": "pyup.io-37098",
            "specs": [
                "<0.1.7"
            ],
            "v": "<0.1.7"
        }
    ],
    "noiseprotocol": [
        {
            "advisory": "noiseprotocol before 0.2.1 used an insecure transitive dependency (Cryptography<=2.1.3).",
            "cve": null,
            "id": "pyup.io-35043",
            "specs": [
                "<0.2.1"
            ],
            "v": "<0.2.1"
        }
    ],
    "normcap": [
        {
            "advisory": "Normcap 0.1.1 updates PyInstaller to avoid potential vulnerability.",
            "cve": null,
            "id": "pyup.io-37722",
            "specs": [
                "<0.1.1"
            ],
            "v": "<0.1.1"
        }
    ],
    "notable": [
        {
            "advisory": "notable 0.0.6 fixes a security regression in the new BoltDB backend.",
            "cve": null,
            "id": "pyup.io-34447",
            "specs": [
                "<0.0.6"
            ],
            "v": "<0.0.6"
        }
    ],
    "notebook": [
        {
            "advisory": "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.",
            "cve": "CVE-2015-7337",
            "id": "pyup.io-25903",
            "specs": [
                "<4.0.5"
            ],
            "v": "<4.0.5"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name.  NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.",
            "cve": "CVE-2015-6938",
            "id": "pyup.io-25904",
            "specs": [
                ">=4.0,<4.0.5"
            ],
            "v": ">=4.0,<4.0.5"
        }
    ],
    "notifications-python-client": [
        {
            "advisory": "notifications-python-client before 4.7.1 is vulnerable to a not further described security issue in PyJWT.",
            "cve": null,
            "id": "pyup.io-35116",
            "specs": [
                "<4.7.1"
            ],
            "v": "<4.7.1"
        }
    ],
    "nova": [
        {
            "advisory": "OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. See CVE-2011-4076.",
            "cve": "CVE-2011-4076",
            "id": "pyup.io-37736",
            "specs": [
                "<2012.1"
            ],
            "v": "<2012.1"
        },
        {
            "advisory": "Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem. See: CVE-2011-3147.",
            "cve": "CVE-2011-3147",
            "id": "pyup.io-37087",
            "specs": [
                "<2012.1"
            ],
            "v": "<2012.1"
        },
        {
            "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.",
            "cve": "CVE-2013-1068",
            "id": "pyup.io-25905",
            "specs": [
                "<2013.2.3"
            ],
            "v": "<2013.2.3"
        }
    ],
    "nsupdate": [
        {
            "advisory": "nsupdate before 0.3.0 is vulnerable to a undisclosed security issue.",
            "cve": null,
            "id": "pyup.io-25906",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        },
        {
            "advisory": "nsupdate 0.8.0 fixes a security issue: abuse_blocked flag could be worked around by abuser.",
            "cve": null,
            "id": "pyup.io-25907",
            "specs": [
                "<0.8.0"
            ],
            "v": "<0.8.0"
        },
        {
            "advisory": "nsupdate 0.9.1 fixes a security issue with \"related hosts\" / \"service updaters\".",
            "cve": null,
            "id": "pyup.io-25908",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        }
    ],
    "numpy": [
        {
            "advisory": "An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.",
            "cve": "CVE-2019-6446",
            "id": "pyup.io-36810",
            "specs": [
                "<=1.16.0"
            ],
            "v": "<=1.16.0"
        }
    ],
    "oauth2": [
        {
            "advisory": "The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.",
            "cve": "CVE-2013-4346",
            "id": "pyup.io-35462",
            "specs": [
                "<1.9"
            ],
            "v": "<1.9"
        },
        {
            "advisory": "The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.",
            "cve": "CVE-2013-4347",
            "id": "pyup.io-35463",
            "specs": [
                "<1.9"
            ],
            "v": "<1.9"
        }
    ],
    "oauthlib": [
        {
            "advisory": "oauthlib before 0.7.0 is not stripping client provided passwords from OAuth2 logs.",
            "cve": null,
            "id": "pyup.io-25909",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "oci": [
        {
            "advisory": "oci 2.0.2 opened up the dependency pinning on cryptography due to CVE-2018-10903 - OCI does not call the affected method in cryptography, but upgrading is recommended",
            "cve": "CVE-2018-10903",
            "id": "pyup.io-37415",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        },
        {
            "advisory": "In oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability `CVE-2018-1000808`",
            "cve": null,
            "id": "pyup.io-36786",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        },
        {
            "advisory": "oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808",
            "cve": "CVE-2018-1000808",
            "id": "pyup.io-37831",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        },
        {
            "advisory": "oci 2.10.0 changes pyOpenSSL pinning to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808",
            "cve": "CVE-2018-1000808",
            "id": "pyup.io-37830",
            "specs": [
                "<2.10.0"
            ],
            "v": "<2.10.0"
        }
    ],
    "oci-cli": [
        {
            "advisory": "Versions of oci-cli prior to 2.4.10 are affected by a security vulnerability. Versions 2.4.11 and later will automatically detect vulnerable installations, and if issues are detected, a warning will be displayed to the user. These issues can be remediated automatically by running the ``oci setup repair-file-permissions`` command.",
            "cve": null,
            "id": "pyup.io-36148",
            "specs": [
                "<2.4.10"
            ],
            "v": "<2.4.10"
        },
        {
            "advisory": "In oci-cli 2.4.40, pyOpenSSL was upgraded to version 17.5.0 and cryptography to version 2.1.4 to address a vulnerability identified on GitHub as CVE-2018-1000808.",
            "cve": "CVE-2018-1000808",
            "id": "pyup.io-36804",
            "specs": [
                "<2.4.40"
            ],
            "v": "<2.4.40"
        },
        {
            "advisory": "Oci-cli 2.5.9 upgrades Jinja2 to version 2.10.1 to address a vulnerability identified on GitHub as CVE-2019-10906. Jinga isn't used in Oci-cli's run-time system but as part of its documentation build process.",
            "cve": "CVE-2019-10906",
            "id": "pyup.io-37139",
            "specs": [
                "<2.5.9"
            ],
            "v": "<2.5.9"
        },
        {
            "advisory": "Oci-cli 2.6.3 fixes CVE-2017-18342. In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-37417",
            "specs": [
                "<2.6.3"
            ],
            "v": "<2.6.3"
        }
    ],
    "octavia": [
        {
            "advisory": "An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.",
            "cve": "CVE-2019-3895",
            "id": "pyup.io-37192",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        },
        {
            "advisory": "Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.",
            "cve": "CVE-2019-17134",
            "id": "pyup.io-37547",
            "specs": [
                ">=0.10.0,<2.1.2",
                ">=3.0.0,<3.2.0",
                ">=4.0.0,<4.1.0"
            ],
            "v": ">=0.10.0,<2.1.2,>=3.0.0,<3.2.0,>=4.0.0,<4.1.0"
        }
    ],
    "oe-geoutils": [
        {
            "advisory": "Oe-geoutils 1.5.2 solves security vulnerabilities from external packages 101.",
            "cve": null,
            "id": "pyup.io-37666",
            "specs": [
                "<1.5.2"
            ],
            "v": "<1.5.2"
        }
    ],
    "onegov.form": [
        {
            "advisory": "onegov.form before 0.16.1 is not escaping HTML labels in the dynamic formbuilder.",
            "cve": null,
            "id": "pyup.io-25911",
            "specs": [
                "<0.16.1"
            ],
            "v": "<0.16.1"
        }
    ],
    "onelogin-aws-assume-role": [
        {
            "advisory": "For security reasons, onelogin-aws-assume-role 1.3.0 removes the ability to provide the IP using a command line parameter and is instead able to provide the IP address at the onelogin.sdk.json file.",
            "cve": null,
            "id": "pyup.io-37158",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        }
    ],
    "onixcheck": [
        {
            "advisory": "onixcheck 0.8.0 adds secured XML-Parsing via defusedxml.",
            "cve": null,
            "id": "pyup.io-25912",
            "specs": [
                "<0.8.0"
            ],
            "v": "<0.8.0"
        }
    ],
    "oodt": [
        {
            "advisory": "oodt before 0.4 is vulnerable to XSS attacks via malformed query strings.",
            "cve": null,
            "id": "pyup.io-25913",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "ooniprobe": [
        {
            "advisory": "ooniprobe before 1.0.2 is vulnerable to several undisclosed security issues.",
            "cve": null,
            "id": "pyup.io-25914",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "openapigenerator": [
        {
            "advisory": "Openapigenerator 3.2.2 updates vulnerable dependencies (JavaScript, #784).",
            "cve": null,
            "id": "pyup.io-37622",
            "specs": [
                "",
                "<3.2.2"
            ],
            "v": ",<3.2.2"
        },
        {
            "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).",
            "cve": null,
            "id": "pyup.io-37796",
            "specs": [
                "<3.2.1"
            ],
            "v": "<3.2.1"
        },
        {
            "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).",
            "cve": null,
            "id": "pyup.io-37631",
            "specs": [
                "<3.2.1"
            ],
            "v": "<3.2.1"
        },
        {
            "advisory": "Openapigenerator 3.3.2 fixes the Jackson databind security issue (Java, #1259).",
            "cve": null,
            "id": "pyup.io-37629",
            "specs": [
                "<3.3.2"
            ],
            "v": "<3.3.2"
        },
        {
            "advisory": "Openapigenerator 3.3.3 fixes jackson-databind (Java) security issue #1259.",
            "cve": null,
            "id": "pyup.io-37797",
            "specs": [
                "<3.3.3"
            ],
            "v": "<3.3.3"
        },
        {
            "advisory": "Openapigenerator 4.0.0 upgrades GRADLE to 2.14.1 to fix a vulnerability (Android, Java, Scala, #2416).",
            "cve": null,
            "id": "pyup.io-37627",
            "specs": [
                "<4.0.0"
            ],
            "v": "<4.0.0"
        },
        {
            "advisory": "Apenapigenerator v4.0.0-beta3 upgrades GRADLE to 2.14.1 to fix a vulnerability (Java, Scala, #2416).",
            "cve": null,
            "id": "pyup.io-37630",
            "specs": [
                "<4.0.0b3"
            ],
            "v": "<4.0.0b3"
        },
        {
            "advisory": "Openapigenerator 4.0.0beta2 fixes a security issue with dependencies (Java, #1820).",
            "cve": null,
            "id": "pyup.io-37628",
            "specs": [
                "<4.0.0beta2"
            ],
            "v": "<4.0.0beta2"
        },
        {
            "advisory": "Openapigenerator 4.0.2 bumps up the babel-cli version to fix security alert (Javascript/NodeJS, #3121).",
            "cve": null,
            "id": "pyup.io-37626",
            "specs": [
                "<4.0.2"
            ],
            "v": "<4.0.2"
        },
        {
            "advisory": "Openapigenerator 4.0.3 update JS flow dependencies to fix security issues (JavaScript, #3296).",
            "cve": null,
            "id": "pyup.io-37625",
            "specs": [
                "<4.0.3"
            ],
            "v": "<4.0.3"
        },
        {
            "advisory": "Openapigenerator 4.1.0 updates to address recent lodash Object prototype vulnerability (general, #3348).",
            "cve": null,
            "id": "pyup.io-37624",
            "specs": [
                "<4.1.0"
            ],
            "v": "<4.1.0"
        },
        {
            "advisory": "Openapigenerator 4.1.3 fixes the jackson-databind security issue (general, #3945).",
            "cve": null,
            "id": "pyup.io-37623",
            "specs": [
                "<4.1.3"
            ],
            "v": "<4.1.3"
        },
        {
            "advisory": "Openapigenerator 4.2.1 fixes the Jackson databind security issue (Java, #4370).",
            "cve": null,
            "id": "pyup.io-37798",
            "specs": [
                "<4.2.1"
            ],
            "v": "<4.2.1"
        },
        {
            "advisory": "Openapigenerator 4.3.0 fixes CVE-2020-8130 [Ruby - #5483].",
            "cve": "CVE-2020-8130",
            "id": "pyup.io-38120",
            "specs": [
                "<4.3.0"
            ],
            "v": "<4.3.0"
        }
    ],
    "openslides": [
        {
            "advisory": "openslides 2.1 now validates HTML strings from CKEditor against XSS attacks.",
            "cve": null,
            "id": "pyup.io-34681",
            "specs": [
                "<2.1"
            ],
            "v": "<2.1"
        }
    ],
    "opentaxii": [
        {
            "advisory": "opentaxii 0.1.11 requires recent version of `lxml` for security reasons.",
            "cve": null,
            "id": "pyup.io-36897",
            "specs": [
                "<0.1.11"
            ],
            "v": "<0.1.11"
        }
    ],
    "ores": [
        {
            "advisory": "Ores 1.3.1 addresses yaml security issue by bumping dependency version",
            "cve": null,
            "id": "pyup.io-37949",
            "specs": [
                "<1.3.1"
            ],
            "v": "<1.3.1"
        }
    ],
    "otpauth": [
        {
            "advisory": "otpauth before 1.0.1 is vulnerable to timing attacks.",
            "cve": null,
            "id": "pyup.io-25915",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "ovirt-engine-sdk-python": [
        {
            "advisory": "The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 does not check the server SSL certificate against the client keys, which allows remote attackers to spoof a server via a man-in-the-middle (MITM) attack.",
            "cve": "CVE-2012-3533",
            "id": "pyup.io-25916",
            "specs": [
                "<3.1.0.8"
            ],
            "v": "<3.1.0.8"
        },
        {
            "advisory": "ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.",
            "cve": "CVE-2014-0161",
            "id": "pyup.io-37754",
            "specs": [
                "<3.4.0.7",
                "==3.5.0.4"
            ],
            "v": "<3.4.0.7,==3.5.0.4"
        }
    ],
    "ovs": [
        {
            "advisory": "ovs 1.3.0 includes a fix that flow setups are now processed in a round-robin manner across ports to prevent any single client from monopolizing the CPU and conducting a denial of service attack.",
            "cve": null,
            "id": "pyup.io-25917",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        }
    ],
    "owlmixin": [
        {
            "advisory": "An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A \"Load YAML\" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
            "cve": "CVE-2017-16618",
            "id": "pyup.io-35720",
            "specs": [
                "<2.0.0a12"
            ],
            "v": "<2.0.0a12"
        }
    ],
    "pakettikauppa": [
        {
            "advisory": "pakettikauppa 0.1.2 fixes Pip files and requirement files for fixing security issue in pyyaml module",
            "cve": null,
            "id": "pyup.io-36779",
            "specs": [
                "<0.1.2"
            ],
            "v": "<0.1.2"
        }
    ],
    "palladium": [
        {
            "advisory": "Palladium 1.2.2 updates requirements, fixing potential security vulnerabilities in dependencies.",
            "cve": null,
            "id": "pyup.io-37378",
            "specs": [
                "<1.2.2"
            ],
            "v": "<1.2.2"
        }
    ],
    "pandevice": [
        {
            "advisory": "Pandevice 0.11.0 adds `uuid` params for security and NAT rules.",
            "cve": null,
            "id": "pyup.io-37198",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        }
    ],
    "pando": [
        {
            "advisory": "pando before 0.39 is vulnerable to security bugs related to CRLF injection.",
            "cve": null,
            "id": "pyup.io-25918",
            "specs": [
                "<0.39"
            ],
            "v": "<0.39"
        },
        {
            "advisory": "pando before 0.42 is vulnerable to URL redirection attacks.",
            "cve": null,
            "id": "pyup.io-25919",
            "specs": [
                "<0.42"
            ],
            "v": "<0.42"
        }
    ],
    "paradrop": [
        {
            "advisory": "Paradrop 0.10.0 supports more WiFi encryption settings, including properly supporting CCMP for better security.",
            "cve": null,
            "id": "pyup.io-37491",
            "specs": [
                "<0.10.0"
            ],
            "v": "<0.10.0"
        },
        {
            "advisory": "Paradrop 0.13.0 updates dependency versions to address vulnerabilities in old versions of pyOpenSSL, requests, and urllib3.",
            "cve": null,
            "id": "pyup.io-37490",
            "specs": [
                "<0.13.0"
            ],
            "v": "<0.13.0"
        },
        {
            "advisory": "Paradrop 0.5 secures the router settings page with a login system.",
            "cve": null,
            "id": "pyup.io-37492",
            "specs": [
                "<0.5"
            ],
            "v": "<0.5"
        }
    ],
    "paramiko-ng": [
        {
            "advisory": "Paramiko-ng 1.7.2 fixes the PRNG to be more secure on windows and in cases where fork() is called.",
            "cve": null,
            "id": "pyup.io-37114",
            "specs": [
                "<1.7.2"
            ],
            "v": "<1.7.2"
        }
    ],
    "passlib": [
        {
            "advisory": "passlib before 1.4 not disabled unix_fallback's \"wildcard password\" support unless explicitly enabled by user.",
            "cve": null,
            "id": "pyup.io-25921",
            "specs": [
                "<1.4"
            ],
            "v": "<1.4"
        }
    ],
    "paste": [
        {
            "advisory": "paste before 0.9.5 has a security vulnerability in ``paste.urlparser``'s StaticURLParser and PkgResourcesParser where, with some servers, you could escape the document root.",
            "cve": null,
            "id": "pyup.io-25922",
            "specs": [
                "<0.9.5"
            ],
            "v": "<0.9.5"
        },
        {
            "advisory": "paste 1.1 includes a security fix for ``paste.urlparser.StaticURLParser``.  The problem allowed escaping the root (and reading files) when used with ``paste.httpserver`` (this does not effect other servers, and does not apply when proxying requests from Apache to  ``paste.httpserver``).",
            "cve": null,
            "id": "pyup.io-25923",
            "specs": [
                "<1.1"
            ],
            "v": "<1.1"
        },
        {
            "advisory": "paste before 1.7.4 is vulnerable to a XSS attack in paste.urlparser.StaticURLParser.",
            "cve": null,
            "id": "pyup.io-25924",
            "specs": [
                "<1.7.4"
            ],
            "v": "<1.7.4"
        },
        {
            "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.",
            "cve": "CVE-2010-2477",
            "id": "pyup.io-35340",
            "specs": [
                "<1.7.4"
            ],
            "v": "<1.7.4"
        }
    ],
    "pastescript": [
        {
            "advisory": "Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.",
            "cve": "CVE-2012-0878",
            "id": "pyup.io-25925",
            "specs": [
                "<1.7.5"
            ],
            "v": "<1.7.5"
        }
    ],
    "pconf": [
        {
            "advisory": "pconf before 1.3.3 is vulnerable to arbitrary code execution related to [CVE-2017-18342](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342) because of YAML's `load`. \r\nThis upgrades to use YAML `safe_load` instead of `load`.",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-36293",
            "specs": [
                "<1.3.3"
            ],
            "v": "<1.3.3"
        }
    ],
    "pcp": [
        {
            "advisory": "pcp before 2.1.911 has a not further described vulnerability in pcp.spec.in.",
            "cve": null,
            "id": "pyup.io-25926",
            "specs": [
                "<2.1.911"
            ],
            "v": "<2.1.911"
        }
    ],
    "pdfextract": [
        {
            "advisory": "pdfextract before 0.0.2 is using `eval` on filenames, leading to execution of arbitrary Python code.",
            "cve": null,
            "id": "pyup.io-25927",
            "specs": [
                "<0.0.2"
            ],
            "v": "<0.0.2"
        }
    ],
    "pdkit": [
        {
            "advisory": "Pdkit 1.2.1 includes an unspecified security fix for included libraries.",
            "cve": null,
            "id": "pyup.io-37793",
            "specs": [
                "<1.2.1"
            ],
            "v": "<1.2.1"
        }
    ],
    "peewee": [
        {
            "advisory": "The main change in this release is the removal of the `AESEncryptedField`,\r\nwhich was included as part of the `playhouse.fields` extension. It was brought\r\nto my attention that there was some serious potential for security\r\nvulnerabilities. Rather than give users a false sense of security, I've decided\r\nthe best course of action is to remove the field.",
            "cve": null,
            "id": "pyup.io-34337",
            "specs": [
                "<2.10.0"
            ],
            "v": "<2.10.0"
        }
    ],
    "peppercorn": [
        {
            "advisory": "peppercorn before 0.5 is vulnerable to DoS attacks due to the use of an iterative parser rather than a recursive parser.",
            "cve": null,
            "id": "pyup.io-25928",
            "specs": [
                "<0.5"
            ],
            "v": "<0.5"
        }
    ],
    "pex": [
        {
            "advisory": "pex before 0.5.6 follows links which may lead to security issues: https://rbcommons.com/s/twitter/r/293/.",
            "cve": null,
            "id": "pyup.io-25929",
            "specs": [
                "<0.5.6"
            ],
            "v": "<0.5.6"
        }
    ],
    "phileo": [
        {
            "advisory": "phileo before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).",
            "cve": null,
            "id": "pyup.io-25930",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "pigar": [
        {
            "advisory": "pigar 0.9.1 sixes some potential security vulnerabilities",
            "cve": null,
            "id": "pyup.io-36904",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        }
    ],
    "pillow": [
        {
            "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933).",
            "cve": null,
            "id": "pyup.io-25931",
            "specs": [
                "<2.3.1"
            ],
            "v": "<2.3.1"
        },
        {
            "advisory": "pillow before 2.3.2 is vulnerable to a DOS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25932",
            "specs": [
                "<2.3.2"
            ],
            "v": "<2.3.2"
        },
        {
            "advisory": "pillow before 2.5.2 is vulnerable to a DoS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25933",
            "specs": [
                "<2.5.2"
            ],
            "v": "<2.5.2"
        },
        {
            "advisory": "pillow before 2.5.3 is vulnerable to a DoS in the Jpeg2KImagePlugin.",
            "cve": null,
            "id": "pyup.io-25934",
            "specs": [
                "<2.5.3"
            ],
            "v": "<2.5.3"
        },
        {
            "advisory": "pillow before 2.6.0rc1 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25935",
            "specs": [
                "<2.6.0rc1"
            ],
            "v": "<2.6.0rc1"
        },
        {
            "advisory": "pillow before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).",
            "cve": null,
            "id": "pyup.io-25936",
            "specs": [
                "<2.6.2"
            ],
            "v": "<2.6.2"
        },
        {
            "advisory": "pillow before 2.7.0 is vulnerable to a PNG decompression DoS (CVE-2014-9601).",
            "cve": null,
            "id": "pyup.io-25937",
            "specs": [
                "<2.7.0"
            ],
            "v": "<2.7.0"
        },
        {
            "advisory": "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.",
            "cve": "CVE-2016-0740",
            "id": "pyup.io-33134",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        },
        {
            "advisory": "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.",
            "cve": "CVE-2016-0775",
            "id": "pyup.io-33135",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        },
        {
            "advisory": "Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.",
            "cve": "CVE-2016-2533",
            "id": "pyup.io-33136",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        },
        {
            "advisory": "Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.",
            "cve": "CVE-2016-4009",
            "id": "pyup.io-33137",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        },
        {
            "advisory": "pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.",
            "cve": null,
            "id": "pyup.io-25943",
            "specs": [
                "<3.1.2"
            ],
            "v": "<3.1.2"
        },
        {
            "advisory": "Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the \"crafted image file\" approach, related to an \"Insecure Sign Extension\" issue affecting the ImagingNew in Storage.c component.",
            "cve": "CVE-2016-9190",
            "id": "pyup.io-33138",
            "specs": [
                "<3.3.2"
            ],
            "v": "<3.3.2"
        },
        {
            "advisory": "Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the \"crafted image file\" approach, related to an \"Integer Overflow\" issue affecting the Image.core.map_buffer in map.c component.",
            "cve": "CVE-2016-9189",
            "id": "pyup.io-33139",
            "specs": [
                "<3.3.2"
            ],
            "v": "<3.3.2"
        },
        {
            "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.",
            "cve": "CVE-2020-5313",
            "id": "pyup.io-37782",
            "specs": [
                "<6.2.2"
            ],
            "v": "<6.2.2"
        },
        {
            "advisory": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. See:CVE-2020-5312.",
            "cve": "CVE-2020-5312",
            "id": "pyup.io-37781",
            "specs": [
                "<6.2.2"
            ],
            "v": "<6.2.2"
        },
        {
            "advisory": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. See: CVE-2020-5311.",
            "cve": "CVE-2020-5311",
            "id": "pyup.io-37780",
            "specs": [
                "<6.2.2"
            ],
            "v": "<6.2.2"
        },
        {
            "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.",
            "cve": "CVE-2020-5310",
            "id": "pyup.io-37779",
            "specs": [
                "<6.2.2"
            ],
            "v": "<6.2.2"
        },
        {
            "advisory": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.",
            "cve": "CVE-2019-19911",
            "id": "pyup.io-37772",
            "specs": [
                ">6.0,<6.2.2"
            ],
            "v": ">6.0,<6.2.2"
        }
    ],
    "pillow-simd": [
        {
            "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25947",
            "specs": [
                "<2.3.2"
            ],
            "v": "<2.3.2"
        },
        {
            "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25948",
            "specs": [
                "<2.5.2"
            ],
            "v": "<2.5.2"
        },
        {
            "advisory": "pillow-simd before 2.5.3 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25949",
            "specs": [
                "<2.5.3"
            ],
            "v": "<2.5.3"
        },
        {
            "advisory": "pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.",
            "cve": null,
            "id": "pyup.io-25950",
            "specs": [
                "<2.6.0rc1"
            ],
            "v": "<2.6.0rc1"
        },
        {
            "advisory": "pillow-simd before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).",
            "cve": null,
            "id": "pyup.io-25951",
            "specs": [
                "<2.6.2"
            ],
            "v": "<2.6.2"
        },
        {
            "advisory": "pillow-simd before 2.7.0 is vulnerable to a PNG decompression DoS (CVE-2014-9601).",
            "cve": null,
            "id": "pyup.io-25952",
            "specs": [
                "<2.7.0"
            ],
            "v": "<2.7.0"
        },
        {
            "advisory": "pillow-simd before 3.1.1 is vulnerable to multiple buffer overlows in Resample.c, PcdDecode.c, FliDecode.c and TiffDecode.c.",
            "cve": null,
            "id": "pyup.io-25953",
            "specs": [
                "<3.1.1"
            ],
            "v": "<3.1.1"
        },
        {
            "advisory": "pillow-simd before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.",
            "cve": null,
            "id": "pyup.io-25954",
            "specs": [
                "<3.1.2"
            ],
            "v": "<3.1.2"
        }
    ],
    "pim-dm": [
        {
            "advisory": "pim-dm 1.0 includes dissertation work and an unspecified security implementation",
            "cve": null,
            "id": "pyup.io-37857",
            "specs": [
                "<1.0"
            ],
            "v": "<1.0"
        }
    ],
    "pinax-likes": [
        {
            "advisory": "pinax-likes before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).",
            "cve": null,
            "id": "pyup.io-25955",
            "specs": [
                "<0.3"
            ],
            "v": "<0.3"
        }
    ],
    "pip": [
        {
            "advisory": "pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.",
            "cve": "CVE-2013-1629",
            "id": "pyup.io-33140",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        },
        {
            "advisory": "pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.",
            "cve": "CVE-2013-1888",
            "id": "pyup.io-33141",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        },
        {
            "advisory": "pip 1.4 includes a security patch to pip's ssl support related to certificate DNS wildcard matching.",
            "cve": null,
            "id": "pyup.io-25959",
            "specs": [
                "<1.4"
            ],
            "v": "<1.4"
        },
        {
            "advisory": "The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.",
            "cve": "CVE-2013-5123",
            "id": "pyup.io-37752",
            "specs": [
                "<1.5"
            ],
            "v": "<1.5"
        },
        {
            "advisory": "pip before 6.0 is not using a randomized and secure default build directory when possible. (CVE-2014-8991).",
            "cve": null,
            "id": "pyup.io-25960",
            "specs": [
                "<6.0"
            ],
            "v": "<6.0"
        },
        {
            "advisory": "pip before 6.1.0 bundles a request release with a known security vulnerability. See  CVE-2015-2296.",
            "cve": null,
            "id": "pyup.io-25961",
            "specs": [
                "<6.1.0"
            ],
            "v": "<6.1.0"
        }
    ],
    "pirate-get": [
        {
            "advisory": "pirate-get before 0.2.8 is not properly validating torrent file names.\r\n\r\n- https://github.com/vikstrous/pirate-get/issues/73",
            "cve": null,
            "id": "pyup.io-34168",
            "specs": [
                "<0.2.8"
            ],
            "v": "<0.2.8"
        }
    ],
    "pkgcore": [
        {
            "advisory": "pkgcore 0.4.7.12 includes a security fix; force cwd to something controlled for ebuild env.  This blocks an attack detailed in glsa 200810-02; namely that an ebuild invoking python -c (which looks in cwd for modules to load) allows for an attacker to slip something in.",
            "cve": null,
            "id": "pyup.io-25962",
            "specs": [
                "<0.4.7.12"
            ],
            "v": "<0.4.7.12"
        }
    ],
    "platformio": [
        {
            "advisory": "platformio 4.1.0 fixes a security issue when extracting items from TAR archive - see https://github.com/platformio/platformio-core/issues/2995",
            "cve": null,
            "id": "pyup.io-37869",
            "specs": [
                "<4.1.0"
            ],
            "v": "<4.1.0"
        }
    ],
    "plomino": [
        {
            "advisory": "plomino before 1.18 has a major vulnerability in open_url (now, targeted sources must be declared safe from an local package).",
            "cve": null,
            "id": "pyup.io-25963",
            "specs": [
                "<1.18"
            ],
            "v": "<1.18"
        },
        {
            "advisory": "plomino 1.5.3 includes a security fix: when a group has PlominoAuthors rights, members of this group are just authors on their own documents.",
            "cve": null,
            "id": "pyup.io-25964",
            "specs": [
                "<1.5.3"
            ],
            "v": "<1.5.3"
        }
    ],
    "plone": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.",
            "cve": "CVE-2011-1340",
            "id": "pyup.io-25966",
            "specs": [
                "<2.5.3"
            ],
            "v": "<2.5.3"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.",
            "cve": "CVE-2010-2422",
            "id": "pyup.io-25967",
            "specs": [
                "<3.3.4"
            ],
            "v": "<3.3.4"
        },
        {
            "advisory": "kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.",
            "cve": "CVE-2012-5496",
            "id": "pyup.io-33143",
            "specs": [
                "<4.0"
            ],
            "v": "<4.0"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.",
            "cve": "CVE-2011-1948",
            "id": "pyup.io-25972",
            "specs": [
                "<4.1"
            ],
            "v": "<4.1"
        },
        {
            "advisory": "Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
            "cve": "CVE-2011-4462",
            "id": "pyup.io-25973",
            "specs": [
                "<4.1.3"
            ],
            "v": "<4.1.3"
        },
        {
            "advisory": "plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.",
            "cve": "CVE-2011-1950",
            "id": "pyup.io-25974",
            "specs": [
                "<4.2"
            ],
            "v": "<4.2"
        },
        {
            "advisory": "ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.",
            "cve": "CVE-2012-5503",
            "id": "pyup.io-25999",
            "specs": [
                "<4.2.3",
                "<4.3b1"
            ],
            "v": "<4.2.3,<4.3b1"
        },
        {
            "advisory": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
            "cve": "CVE-2012-5486",
            "id": "pyup.io-25996",
            "specs": [
                "<4.3"
            ],
            "v": "<4.3"
        },
        {
            "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.",
            "cve": "CVE-2011-2528",
            "id": "pyup.io-25965",
            "specs": [
                "==3.3.5,==3.3.4,==3.3.3,==3.3.2"
            ],
            "v": "==3.3.5,==3.3.4,==3.3.3,==3.3.2"
        },
        {
            "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.",
            "cve": "CVE-2011-3587",
            "id": "pyup.io-33144",
            "specs": [
                ">4,<4.2a2"
            ],
            "v": ">4,<4.2a2"
        },
        {
            "advisory": "Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.",
            "cve": "CVE-2017-5524",
            "id": "pyup.io-35733",
            "specs": [
                ">4,<=4.3.11",
                ">5,<=5.0.6"
            ],
            "v": ">4,<=4.3.11,>5,<=5.0.6"
        },
        {
            "advisory": "By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)",
            "cve": "CVE-2017-1000484",
            "id": "pyup.io-35704",
            "specs": [
                ">4,<=4.3.15",
                ">=5.0,<5.1rc1"
            ],
            "v": ">4,<=4.3.15,>=5.0,<5.1rc1"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.",
            "cve": "CVE-2011-1949",
            "id": "pyup.io-25997",
            "specs": [
                ">=2.1,<4.2"
            ],
            "v": ">=2.1,<4.2"
        },
        {
            "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.",
            "cve": "CVE-2011-0720",
            "id": "pyup.io-33142",
            "specs": [
                ">=2.5,<4.0"
            ],
            "v": ">=2.5,<4.0"
        },
        {
            "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. See: CVE-2013-7062.",
            "cve": "CVE-2013-7062",
            "id": "pyup.io-37753",
            "specs": [
                ">=3.3.0,<=3.3.6",
                ">=4.0,<=4.0.9",
                ">=4.1.0,<=4.1.6",
                ">=4.2.0,<=4.2.7",
                ">=4.3,<=4.3.2"
            ],
            "v": ">=3.3.0,<=3.3.6,>=4.0,<=4.0.9,>=4.1.0,<=4.1.6,>=4.2.0,<=4.2.7,>=4.3,<=4.3.2"
        },
        {
            "advisory": "The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.",
            "cve": "CVE-2011-4030",
            "id": "pyup.io-33145",
            "specs": [
                ">=4,<4.2a2"
            ],
            "v": ">=4,<4.2a2"
        },
        {
            "advisory": "SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) See: CVE-2020-7939.",
            "cve": "CVE-2020-7939",
            "id": "pyup.io-37787",
            "specs": [
                ">=4.0,<=5.2.1"
            ],
            "v": ">=4.0,<=5.2.1"
        },
        {
            "advisory": "An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. See: CVE-2020-7936.",
            "cve": "CVE-2020-7936",
            "id": "pyup.io-37784",
            "specs": [
                ">=4.0,<=5.2.1"
            ],
            "v": ">=4.0,<=5.2.1"
        },
        {
            "advisory": "Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. See: CVE-2020-7940.",
            "cve": "CVE-2020-7940",
            "id": "pyup.io-37788",
            "specs": [
                ">=4.3,<=5.2.0"
            ],
            "v": ">=4.3,<=5.2.0"
        },
        {
            "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.",
            "cve": "CVE-2020-7941",
            "id": "pyup.io-36898",
            "specs": [
                ">=4.3,<=5.2.1"
            ],
            "v": ">=4.3,<=5.2.1"
        },
        {
            "advisory": "An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. See: CVE-2020-7937.",
            "cve": "CVE-2020-7937",
            "id": "pyup.io-37785",
            "specs": [
                ">=5.0,<=5.2.1"
            ],
            "v": ">=5.0,<=5.2.1"
        },
        {
            "advisory": "plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. See: CVE-2020-7938.",
            "cve": "CVE-2020-7938",
            "id": "pyup.io-37786",
            "specs": [
                ">=5.2.0,<=5.2.1"
            ],
            "v": ">=5.2.0,<=5.2.1"
        }
    ],
    "plone-app-contentmenu": [
        {
            "advisory": "Plone-app-contentmenu  1.1.7 escapes the title of the defaultpage in the DisplayMenu. This fixes a potential\r\n  xss attack and http://dev.plone.org/plone/ticket/8377.",
            "cve": null,
            "id": "pyup.io-36047",
            "specs": [
                "<1.1.7"
            ],
            "v": "<1.1.7"
        }
    ],
    "plone-app-contenttypes": [
        {
            "advisory": "plone-app-contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.",
            "cve": null,
            "id": "pyup.io-35870",
            "specs": [
                "<1.2.15"
            ],
            "v": "<1.2.15"
        }
    ],
    "plone-app-discussion": [
        {
            "advisory": "plone-app-discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.",
            "cve": null,
            "id": "pyup.io-35864",
            "specs": [
                "<2.4.14"
            ],
            "v": "<2.4.14"
        }
    ],
    "plone-app-event": [
        {
            "advisory": "plone-app-event  3.0 fixes a possible cross site scripting (XSS) attack in location field.",
            "cve": null,
            "id": "pyup.io-35923",
            "specs": [
                "<3.0"
            ],
            "v": "<3.0"
        }
    ],
    "plone-app-users": [
        {
            "advisory": "plone-app-users before 1.0.5 does not check for permission when editing other users' profiles.\r\n  This fixes http://dev.plone.org/plone/ticket/11842 and\r\n  http://plone.org/products/plone/security/advisories/CVE-2011-1950",
            "cve": null,
            "id": "pyup.io-36096",
            "specs": [
                "<1.0.5"
            ],
            "v": "<1.0.5"
        }
    ],
    "plone-dexterity": [
        {
            "advisory": "In plone-dexterity before 2.3.0 Attribute access to schema fields can be protected. This\r\n  worked for direct schemas, but was not implemented for permissions coming\r\n  from behaviors.",
            "cve": null,
            "id": "pyup.io-35873",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "plone.app.content": [
        {
            "advisory": "plone.app.content 3.3.1 includes security hotfix 20160830 for folder factories redirection.",
            "cve": null,
            "id": "pyup.io-26000",
            "specs": [
                "<3.3.1"
            ],
            "v": "<3.3.1"
        },
        {
            "advisory": "Plone.app.content 3.8.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher",
            "cve": null,
            "id": "pyup.io-38030",
            "specs": [
                "<3.8.1"
            ],
            "v": "<3.8.1"
        }
    ],
    "plone.app.contentmenu": [
        {
            "advisory": "plone.app.contentmenu 1.1.7 fixes a potential xss attack and http://dev.plone.org/plone/ticket/8377.",
            "cve": null,
            "id": "pyup.io-26001",
            "specs": [
                "<1.1.7"
            ],
            "v": "<1.1.7"
        }
    ],
    "plone.app.contenttypes": [
        {
            "advisory": "plone.app.contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.",
            "cve": null,
            "id": "pyup.io-26002",
            "specs": [
                "<1.2.15"
            ],
            "v": "<1.2.15"
        },
        {
            "advisory": "plone.app.contenttypes 2.1.6 integrates PloneHotFix20200121: add more permission checks - see https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content",
            "cve": "CVE-2020-7941",
            "id": "pyup.io-37887",
            "specs": [
                "<2.1.6"
            ],
            "v": "<2.1.6"
        }
    ],
    "plone.app.discussion": [
        {
            "advisory": "plone.app.discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.",
            "cve": null,
            "id": "pyup.io-26003",
            "specs": [
                "<2.4.14"
            ],
            "v": "<2.4.14"
        },
        {
            "advisory": "plone.app.discussion 2.4.18 includes security hotfix 20160830 for redirects.",
            "cve": null,
            "id": "pyup.io-26004",
            "specs": [
                "<2.4.18"
            ],
            "v": "<2.4.18"
        }
    ],
    "plone.app.event": [
        {
            "advisory": "plone.app.event 3.0 fixes a possible cross site scripting (XSS) attack in location field",
            "cve": null,
            "id": "pyup.io-26005",
            "specs": [
                "<3.0"
            ],
            "v": "<3.0"
        }
    ],
    "plone.app.layout": [
        {
            "advisory": "Plone.app.layout 3.4.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher",
            "cve": null,
            "id": "pyup.io-38031",
            "specs": [
                "<3.4.1"
            ],
            "v": "<3.4.1"
        }
    ],
    "plone.app.linkintegrity": [
        {
            "advisory": "plone.app.linkintegrity 1.0.2 fixed security issue due to using pickles (see CVE-2007-5741).",
            "cve": null,
            "id": "pyup.io-26006",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "plone.dexterity": [
        {
            "advisory": "plone.dexterity 2.3.0 fixes a security issue. Attribute access to schema fields can be protected. This worked for direct schemas, but was not implemented for permissions coming from behaviors.",
            "cve": null,
            "id": "pyup.io-26007",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "plone.formwidget.contenttree": [
        {
            "advisory": "plone.formwidget.contenttree 1.0a3 fixes an issues with the security validator to work properly on add views and other views using namespace traversal.",
            "cve": null,
            "id": "pyup.io-26008",
            "specs": [
                "<1.0a3"
            ],
            "v": "<1.0a3"
        }
    ],
    "plone.memoize": [
        {
            "advisory": "Plone.memoize 1.0.3 no longeruses hash when making cache keys. This is to avoid cache collisions, and to avoid a potential security problem where an attacker could manually craft collisions. Also, the use of hash() is no longer recommending in tests.",
            "cve": null,
            "id": "pyup.io-37107",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        }
    ],
    "plone.mockup": [
        {
            "advisory": "plone.mockup before 2.1.3 is vulnerable to a XSS attack in structure and relateditem pattern.",
            "cve": null,
            "id": "pyup.io-26009",
            "specs": [
                "<2.1.3"
            ],
            "v": "<2.1.3"
        }
    ],
    "plone.openid": [
        {
            "advisory": "plone.openid before 2.0.2 is not using the system number generator, even if it is available.",
            "cve": null,
            "id": "pyup.io-26010",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        }
    ],
    "plone.recipe.varnish": [
        {
            "advisory": "Plone.recipe.varnish 6.0.0b1 updates to Varnish 6.0.6 LTS security release.",
            "cve": null,
            "id": "pyup.io-37942",
            "specs": [
                "<6.0.0b1"
            ],
            "v": "<6.0.0b1"
        }
    ],
    "plone.z3cform": [
        {
            "advisory": "Plone.z3cform 0.5.9 fixes a security problem with the ++widget++ namespace [optilude].",
            "cve": null,
            "id": "pyup.io-37035",
            "specs": [
                "<0.5.9"
            ],
            "v": "<0.5.9"
        }
    ],
    "plotly": [
        {
            "advisory": "Plotly 1.15.0 improves a potential XSS input in `text` fields.",
            "cve": null,
            "id": "pyup.io-37053",
            "specs": [
                "<1.15.0"
            ],
            "v": "<1.15.0"
        },
        {
            "advisory": "Plotly 1.22.0 fixes an XSS vulnerability in a trace name on hover.",
            "cve": null,
            "id": "pyup.io-37052",
            "specs": [
                "<1.22.0"
            ],
            "v": "<1.22.0"
        }
    ],
    "plumi.app": [
        {
            "advisory": "plumi.app 4.2 includes a security hotfix related to  LinguaPlone & plone.app.discussion.",
            "cve": null,
            "id": "pyup.io-26011",
            "specs": [
                "<4.2"
            ],
            "v": "<4.2"
        },
        {
            "advisory": "plumi.app before 4.2.1 uses a insecure transitive dependency (plone<4.0.7).",
            "cve": null,
            "id": "pyup.io-26012",
            "specs": [
                "<4.2.1"
            ],
            "v": "<4.2.1"
        },
        {
            "advisory": "plumi.app 4.2.2 patches a serious security vulnerability/",
            "cve": null,
            "id": "pyup.io-26013",
            "specs": [
                "<4.2.2"
            ],
            "v": "<4.2.2"
        }
    ],
    "pmr2.oauth": [
        {
            "advisory": "pmr2.oauth before 0.4.2 is vulnerable to CSRF attacks.",
            "cve": null,
            "id": "pyup.io-26014",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        }
    ],
    "podder-task-base": [
        {
            "advisory": "podder-task-base 0.4.0 changes: Update version of SQLAlchemy, Jinja for security reason",
            "cve": null,
            "id": "pyup.io-37260",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "pokedex.py": [
        {
            "advisory": "pokedex.py 1.1.2 updates `requests` package to `>=2.20.0,<3.0.0` to fix information exposure vulnerability",
            "cve": null,
            "id": "pyup.io-36593",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "polemarch": [
        {
            "advisory": "polemarch 1.2.1 change: Update `bootstrap` and `moment.js` for security reasons.",
            "cve": null,
            "id": "pyup.io-37229",
            "specs": [
                "<1.2.1"
            ],
            "v": "<1.2.1"
        }
    ],
    "polyaxon": [
        {
            "advisory": "Polyaxon 0.4.1 updates dependencies exposing security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-38029",
            "specs": [
                "<0.4.1"
            ],
            "v": "<0.4.1"
        },
        {
            "advisory": "Polyaxon 0.4.3 update some packages that have some security and deprecation problems.",
            "cve": null,
            "id": "pyup.io-38028",
            "specs": [
                "<0.4.3"
            ],
            "v": "<0.4.3"
        },
        {
            "advisory": "Polyaxon 0.5.1 updates lodash: vulnerability issue.",
            "cve": null,
            "id": "pyup.io-38025",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        },
        {
            "advisory": "Polyaxon 0.5.5 updates dependencies with security release.",
            "cve": null,
            "id": "pyup.io-38023",
            "specs": [
                "<0.5.5"
            ],
            "v": "<0.5.5"
        },
        {
            "advisory": "Polyaxon 0.6.0 fixes some unspecified security issues.",
            "cve": null,
            "id": "pyup.io-38022",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "poorwsgi": [
        {
            "advisory": "poorwsgi 1.0.2 includes several security related enhancements related to secret key generation.",
            "cve": null,
            "id": "pyup.io-26015",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "pootle": [
        {
            "advisory": "pootle before 2.8.0rc5 is vulnerable to several undisclosed security vulnerabilites.",
            "cve": null,
            "id": "pyup.io-34211",
            "specs": [
                "<2.8.0rc5"
            ],
            "v": "<2.8.0rc5"
        },
        {
            "advisory": "pootle before 2.8.0rc6 has multiple, undisclosed, security vulnerabilites that were found during an audit.",
            "cve": null,
            "id": "pyup.io-34790",
            "specs": [
                "<2.8.0rc6"
            ],
            "v": "<2.8.0rc6"
        },
        {
            "advisory": "pootle before 2.7.3 is vulnerable to XSS attacks, so everybody with Pootle 2.7.x needs to upgrade.",
            "cve": null,
            "id": "pyup.io-34201",
            "specs": [
                ">=2.6,<2.7.3"
            ],
            "v": ">=2.6,<2.7.3"
        }
    ],
    "postfix-mta-sts-resolver": [
        {
            "advisory": "Postfix-mta-sts-resolver 0.6.1 hardens the container security.",
            "cve": null,
            "id": "pyup.io-37461",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "prefect": [
        {
            "advisory": "Prefect 0.5.1 bumps `distributed` to 1.26.1 for enhanced security features - [878].",
            "cve": null,
            "id": "pyup.io-37020",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "pretaweb.healthcheck": [
        {
            "advisory": "pretaweb.healthcheck before 1.0 is vulnerable to DoS attacks.",
            "cve": null,
            "id": "pyup.io-26016",
            "specs": [
                "<1.0"
            ],
            "v": "<1.0"
        }
    ],
    "priority": [
        {
            "advisory": "priority before 1.2.0 is vulnerable to a denial of service attack whereby a remote peer can cause a user to insert an unbounded number of streams into the priority tree, eventually consuming all available memory.",
            "cve": null,
            "id": "pyup.io-26017",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "products-cmfcore": [
        {
            "advisory": "products-cmfcore 2.1.0beta2 adds POST-only protections to security critical methods.\r\n  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0240)",
            "cve": null,
            "id": "pyup.io-36125",
            "specs": [
                "<2.1.0beta2"
            ],
            "v": "<2.1.0beta2"
        }
    ],
    "products-ploneformgen": [
        {
            "advisory": "products-ploneformgen before 1.8.1 has a XSS vulnerability that could be exploited by users with the ability\r\n  to create forms.",
            "cve": null,
            "id": "pyup.io-35878",
            "specs": [
                "<1.8.1"
            ],
            "v": "<1.8.1"
        }
    ],
    "products-zopetree": [
        {
            "advisory": "Products-zopetree 1.3 fixes a security hole in the tree state decompressing mechanism. Previous versions were vulnerable to a denial of service attack using large tree states.",
            "cve": null,
            "id": "pyup.io-37726",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        }
    ],
    "products.cmfcontentpanels": [
        {
            "advisory": "products.cmfcontentpanels before 1.4.1 has two not disclosed security issues.",
            "cve": null,
            "id": "pyup.io-26020",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        }
    ],
    "products.cmfcore": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request. See: CVE-2007-0240.",
            "cve": "CVE-2007-0240",
            "id": "pyup.io-35820",
            "specs": [
                "<2.1.0beta2"
            ],
            "v": "<2.1.0beta2"
        },
        {
            "advisory": "Products.cmfcore 2.3.0beta tightens the security for anonymous test user.",
            "cve": null,
            "id": "pyup.io-35818",
            "specs": [
                "<2.3.0beta"
            ],
            "v": "<2.3.0beta"
        }
    ],
    "products.cmfplone": [
        {
            "advisory": "In Products.CMFPlone before 5.1b1, it's possible to access private content via str.format in through-the-web templates and scripts.",
            "cve": null,
            "id": "pyup.io-32997",
            "specs": [
                "<5.1b1"
            ],
            "v": "<5.1b1"
        }
    ],
    "products.cmfquickinstallertool": [
        {
            "advisory": "products.cmfquickinstallertool before 3.0.14 is vulnerable to several cross site scripting (XSS) attacks.",
            "cve": null,
            "id": "pyup.io-26021",
            "specs": [
                "<3.0.14"
            ],
            "v": "<3.0.14"
        }
    ],
    "products.cmfuid": [
        {
            "advisory": "products.cmfuid before 2.1.0beta2 has a vulnerability because it includes the Zope dependency version <2.10.2, which has an injection vulnerability (see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0240)",
            "cve": null,
            "id": "pyup.io-36300",
            "specs": [
                "<2.1.0beta2"
            ],
            "v": "<2.1.0beta2"
        }
    ],
    "products.dcworkflow": [
        {
            "advisory": "Products.dcworkflow 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.",
            "cve": "CVE-2007-0240",
            "id": "pyup.io-38035",
            "specs": [
                "<2.1.0beta2"
            ],
            "v": "<2.1.0beta2"
        }
    ],
    "products.ldapuserfolder": [
        {
            "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.",
            "cve": null,
            "id": "pyup.io-33148",
            "specs": [
                "<2.19"
            ],
            "v": "<2.19"
        },
        {
            "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.",
            "cve": "CVE-2010-2944",
            "id": "pyup.io-26023",
            "specs": [
                "==2.9"
            ],
            "v": "==2.9"
        }
    ],
    "products.ploneformgen": [
        {
            "advisory": "products.ploneformgen before 1.8.1 is vulnerable to a XSS attack that could be exploited by users with the ability to create forms.",
            "cve": null,
            "id": "pyup.io-26024",
            "specs": [
                "<1.8.1"
            ],
            "v": "<1.8.1"
        }
    ],
    "products.plonepas": [
        {
            "advisory": "The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors.",
            "cve": "CVE-2009-0662",
            "id": "pyup.io-33149",
            "specs": [
                ">3.2.2,<3.9"
            ],
            "v": ">3.2.2,<3.9"
        }
    ],
    "products.poi": [
        {
            "advisory": "products.poi before 2.2.3 allows anonymous users to see issues inside private folders.",
            "cve": null,
            "id": "pyup.io-26027",
            "specs": [
                "<2.2.3"
            ],
            "v": "<2.2.3"
        }
    ],
    "psd-tools": [
        {
            "advisory": "Psd-tools 1.9.4 fixes a security issue related to compression in 1.8.37 - 1.9.3.",
            "cve": null,
            "id": "pyup.io-37654",
            "specs": [
                ">=1.8.37,<=1.9.3"
            ],
            "v": ">=1.8.37,<=1.9.3"
        }
    ],
    "psutil": [
        {
            "advisory": "psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. See CVE-2019-18874.",
            "cve": "CVE-2019-18874",
            "id": "pyup.io-37765",
            "specs": [
                "<=5.6.5"
            ],
            "v": "<=5.6.5"
        }
    ],
    "ptah": [
        {
            "advisory": "ptah before 0.3.3 is vulnerable to a undisclosed attack.",
            "cve": null,
            "id": "pyup.io-26028",
            "specs": [
                "<0.3.3"
            ],
            "v": "<0.3.3"
        }
    ],
    "puput": [
        {
            "advisory": "Puput 1.0.4 update the Django version to greater than 2.1.6 to fix security issues.",
            "cve": null,
            "id": "pyup.io-37153",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        }
    ],
    "pure": [
        {
            "advisory": "pure 1.5.2 prevents double prompt expansion in preprompt (e.g. secure against bad git branch names)",
            "cve": null,
            "id": "pyup.io-36940",
            "specs": [
                "<1.5.2"
            ],
            "v": "<1.5.2"
        }
    ],
    "pwd": [
        {
            "advisory": "pwd  is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34983",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "pwman3": [
        {
            "advisory": "pwman3 before 0.4.0 uses cPickle.loads and cPickle.dumps.",
            "cve": null,
            "id": "pyup.io-26029",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "py-ci": [
        {
            "advisory": "Py-ci 0.5.2 upgrades versions of requests and jinja2 due to security alerts. See: <https://github.com/iliapolo/pyci/commit/17a5162f0479ebfdf0d1047ab4016cede6b7c211>.",
            "cve": null,
            "id": "pyup.io-37333",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "py-espeak-ng": [
        {
            "advisory": "py-espeak-ng 1.49.0 fixes many logic and security issues reported by clang scan-build, Coverity and msvc /analyze.",
            "cve": null,
            "id": "pyup.io-36322",
            "specs": [
                "<1.49.0"
            ],
            "v": "<1.49.0"
        }
    ],
    "py-ms": [
        {
            "advisory": "py-ms 1.0.1 replaces Jaeger with Lightstep - improved security.",
            "cve": null,
            "id": "pyup.io-36875",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "py-rate": [
        {
            "advisory": "The luigi functionality before py-rate 0.3.0 was reported as vulnerable.",
            "cve": null,
            "id": "pyup.io-37312",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "py3web": [
        {
            "advisory": "py3web before 0.21 isn't checking for bad characters in headers.",
            "cve": null,
            "id": "pyup.io-32919",
            "specs": [
                "<0.21"
            ],
            "v": "<0.21"
        }
    ],
    "pyamf": [
        {
            "advisory": "pyamf 0.8 fixes a security issue and now wrappes all xml parsing in ``defusedxml`` to protect against any XML entity attacks. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. Thanks to Nicolas Gr\u00e9goire (Agarri_FR) for the report.",
            "cve": null,
            "id": "pyup.io-34622",
            "specs": [
                "<0.8"
            ],
            "v": "<0.8"
        }
    ],
    "pyanyapi": [
        {
            "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.",
            "cve": "CVE-2017-16616",
            "id": "pyup.io-35719",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "pyarmor": [
        {
            "advisory": "pyarmor 5.1.2 Improves the security of PyArmor self",
            "cve": null,
            "id": "pyup.io-36853",
            "specs": [
                "<5.1.2"
            ],
            "v": "<5.1.2"
        }
    ],
    "pybald": [
        {
            "advisory": "Pybald 0.5.6 updates SQLAlchemy dependency to 1.3.3 to mitigate a security issue with SQLAlchemy verstions <= 1.3.0.",
            "cve": null,
            "id": "pyup.io-37104",
            "specs": [
                "<0.5.6"
            ],
            "v": "<0.5.6"
        }
    ],
    "pybible-cli": [
        {
            "advisory": "Version 1.1.2: Bible pickle files have been replaced by JSON files for better performance and security.",
            "cve": null,
            "id": "pyup.io-38043",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "pycapnp": [
        {
            "advisory": "pycapnp before 0.5.5 bundled an insecure library (libcapnp).",
            "cve": null,
            "id": "pyup.io-26030",
            "specs": [
                "<0.5.5"
            ],
            "v": "<0.5.5"
        }
    ],
    "pycapnp-async": [
        {
            "advisory": "Pycapnp-async 0.5.4 updates the bundled C++ libcapnp to v0.5.1.1 security release.",
            "cve": null,
            "id": "pyup.io-37586",
            "specs": [
                "<0.5.4"
            ],
            "v": "<0.5.4"
        },
        {
            "advisory": "Pycapnp-async 0.5.5 updates the bundled C++ libcapnp to v0.5.1.2 security release.",
            "cve": null,
            "id": "pyup.io-37585",
            "specs": [
                "<0.5.5"
            ],
            "v": "<0.5.5"
        }
    ],
    "pycares": [
        {
            "advisory": "pycares before 2.1.1 is vulnerable to CVE-2016-5180.",
            "cve": null,
            "id": "pyup.io-26031",
            "specs": [
                "<2.1.1"
            ],
            "v": "<2.1.1"
        }
    ],
    "pyconll": [
        {
            "advisory": "pyconll 1.1.0 updates ``requests`` dependency due to security flaw",
            "cve": null,
            "id": "pyup.io-36647",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        },
        {
            "advisory": "pyconll before 1.1.2 the ``requests`` version used in ``requirements.txt`` was insecure.",
            "cve": null,
            "id": "pyup.io-36763",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "pycookiecheat": [
        {
            "advisory": "Pycookiecheat 0.2.0 makes SQL query more secure by avoiding string formatting.",
            "cve": null,
            "id": "pyup.io-26729",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        },
        {
            "advisory": "Pycookiecheat 0.4.5 went back to using cryptography due to CVE-2013-7459.",
            "cve": "CVE-2013-7459",
            "id": "pyup.io-37543",
            "specs": [
                "<0.4.5"
            ],
            "v": "<0.4.5"
        }
    ],
    "pycrypto": [
        {
            "advisory": "In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group.  However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p.",
            "cve": null,
            "id": "pyup.io-26032",
            "specs": [
                "<2.6"
            ],
            "v": "<2.6"
        },
        {
            "advisory": "The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.",
            "cve": "CVE-2013-1445",
            "id": "pyup.io-33150",
            "specs": [
                "<2.6.1"
            ],
            "v": "<2.6.1"
        },
        {
            "advisory": "lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.",
            "cve": "CVE-2018-6594",
            "id": "pyup.io-35765",
            "specs": [
                "<2.6.1"
            ],
            "v": "<2.6.1"
        },
        {
            "advisory": "Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.",
            "cve": "CVE-2013-7459",
            "id": "pyup.io-35015",
            "specs": [
                "<=2.6.1"
            ],
            "v": "<=2.6.1"
        }
    ],
    "pycryptodome": [
        {
            "advisory": "pycryptodome before 3.6.6 has a vulnerability on AESNI ECB with payloads smaller than 16 bytes.",
            "cve": null,
            "id": "pyup.io-36384",
            "specs": [
                "<3.6.6"
            ],
            "v": "<3.6.6"
        }
    ],
    "pycsw": [
        {
            "advisory": "A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.",
            "cve": "CVE-2016-8640",
            "id": "pyup.io-36365",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        }
    ],
    "pydal": [
        {
            "advisory": "pydal before 15.02.27 has a security flaw which could lead to db password storing in cache.",
            "cve": null,
            "id": "pyup.io-33022",
            "specs": [
                "<15.02.27"
            ],
            "v": "<15.02.27"
        }
    ],
    "pydotz": [
        {
            "advisory": "pydotz 1.2.0 no longer has paths hard-coded due to security and privacy issues",
            "cve": null,
            "id": "pyup.io-37972",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "pyforce": [
        {
            "advisory": "Pyforce 1.8.0 fixes the external entities vulnerability #35.",
            "cve": null,
            "id": "pyup.io-38058",
            "specs": [
                "<1.8.0"
            ],
            "v": "<1.8.0"
        }
    ],
    "pyftpdlib": [
        {
            "advisory": "pyftpdlib before 0.3.0 has a path traversal vulnerability in case of symbolic links escaping user's home directory.",
            "cve": null,
            "id": "pyup.io-26036",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        },
        {
            "advisory": "Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different vulnerability than CVE-2010-3494.",
            "cve": "CVE-2009-5010",
            "id": "pyup.io-26037",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        },
        {
            "advisory": "Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.",
            "cve": "CVE-2010-3494",
            "id": "pyup.io-26038",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "pygresql": [
        {
            "advisory": "The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.",
            "cve": "CVE-2009-2940",
            "id": "pyup.io-26039",
            "specs": [
                "<4.0"
            ],
            "v": "<4.0"
        }
    ],
    "pyinaturalist": [
        {
            "advisory": "Pyinaturalist 0.7.0 includes minor dependencies updates for security reasons.",
            "cve": null,
            "id": "pyup.io-37127",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "pyjwt": [
        {
            "advisory": "pyjwt before 1.0.0  allows to bypass signature verification by setting the alg header to None.",
            "cve": null,
            "id": "pyup.io-26040",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        },
        {
            "advisory": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.",
            "cve": null,
            "id": "pyup.io-35014",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "pykechain": [
        {
            "advisory": "pykechain 2.5.4 updates security advisory to install requests package later than 2.20.0 (CVE-2018-18074).",
            "cve": null,
            "id": "pyup.io-36937",
            "specs": [
                "<2.5.4"
            ],
            "v": "<2.5.4"
        }
    ],
    "pyldap": [
        {
            "advisory": "pyldap before 2.0.0pre05 is using an insecure transitive dependency (ldapurl).",
            "cve": null,
            "id": "pyup.io-26041",
            "specs": [
                "<2.0.0pre05"
            ],
            "v": "<2.0.0pre05"
        }
    ],
    "pylons": [
        {
            "advisory": "pylons before 0.9.6.1 allows to access private controller methods to be accessed from the outside.",
            "cve": null,
            "id": "pyup.io-26042",
            "specs": [
                "<0.9.6.1"
            ],
            "v": "<0.9.6.1"
        },
        {
            "advisory": "pylons before 0.9.7 is vulnerable to a XSS attack on the default error page.",
            "cve": null,
            "id": "pyup.io-26043",
            "specs": [
                "<0.9.7"
            ],
            "v": "<0.9.7"
        },
        {
            "advisory": "pylons before 1.0.1RC1 is vulnerable to timing attacks on secure cookies.",
            "cve": null,
            "id": "pyup.io-26044",
            "specs": [
                "<1.0.1RC1"
            ],
            "v": "<1.0.1RC1"
        },
        {
            "advisory": "pylons before 1.0.1rc1 is vulnerable to cookie timing attacks.",
            "cve": null,
            "id": "pyup.io-26045",
            "specs": [
                "<1.0.1rc1"
            ],
            "v": "<1.0.1rc1"
        },
        {
            "advisory": "pylons before 1.0.2 includes \"Post Traceback\" which is a possible XSS vector.",
            "cve": null,
            "id": "pyup.io-26046",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "pymemcache": [
        {
            "advisory": "pymemcache before 1.3.6 isn't sanitizing key inputs.",
            "cve": null,
            "id": "pyup.io-26047",
            "specs": [
                "<1.3.6"
            ],
            "v": "<1.3.6"
        }
    ],
    "pymisp": [
        {
            "advisory": "Pymisp 2.4.106 fixes CVE-2019-11324 (urllib3).",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-37292",
            "specs": [
                "<2.4.106"
            ],
            "v": "<2.4.106"
        }
    ],
    "pymls": [
        {
            "advisory": "Pymls 1.4.10 fixes the Github-reported security issues in requirements.txt and bumps PyYAML version in setup for security reasons (CVE-2017-18342).",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-37193",
            "specs": [
                "<1.4.10"
            ],
            "v": "<1.4.10"
        }
    ],
    "pymongo": [
        {
            "advisory": "bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef.\"",
            "cve": "CVE-2013-2132",
            "id": "pyup.io-35429",
            "specs": [
                "<2.5.2"
            ],
            "v": "<2.5.2"
        }
    ],
    "pynoorm": [
        {
            "advisory": "pynoorm 0.4.2 updates PyYaml to 4.2b4 to fix security vulnerability",
            "cve": null,
            "id": "pyup.io-36789",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        }
    ],
    "pynps": [
        {
            "advisory": "Pynps 1.2.0 removes support for search after updating database for security reasons.",
            "cve": null,
            "id": "pyup.io-37724",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        }
    ],
    "pyoes": [
        {
            "advisory": "pyoes 0.9.0 change: Libs updaten - security alert",
            "cve": null,
            "id": "pyup.io-37254",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "pyopenssl": [
        {
            "advisory": "The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.",
            "cve": "CVE-2013-4314",
            "id": "pyup.io-35460",
            "specs": [
                "<0.13.1"
            ],
            "v": "<0.13.1"
        },
        {
            "advisory": "Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.",
            "cve": "CVE-2018-1000807",
            "id": "pyup.io-36533",
            "specs": [
                "<17.5.0"
            ],
            "v": "<17.5.0"
        },
        {
            "advisory": "Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.",
            "cve": "CVE-2018-1000808",
            "id": "pyup.io-36534",
            "specs": [
                "<17.5.0"
            ],
            "v": "<17.5.0"
        }
    ],
    "pyorient": [
        {
            "advisory": "pyorient before 1.4.9 has an SQL injection attack vector, exploitable in one location and potentially a few more, that allowed an attacker to change the WHERE clause in a query and cause it to return unexpected results",
            "cve": null,
            "id": "pyup.io-34150",
            "specs": [
                "<1.4.9"
            ],
            "v": "<1.4.9"
        }
    ],
    "pyowm": [
        {
            "advisory": "pyowm 2.10 upgrades version for dependencies `requests` and `urllib3` as known security issues were raised for them.",
            "cve": null,
            "id": "pyup.io-36750",
            "specs": [
                "<2.10"
            ],
            "v": "<2.10"
        }
    ],
    "pypicloud": [
        {
            "advisory": "pypicloud before 0.2.2 is vulnerable to a undisclosed attack.",
            "cve": null,
            "id": "pyup.io-26048",
            "specs": [
                "<0.2.2"
            ],
            "v": "<0.2.2"
        }
    ],
    "pypiserver": [
        {
            "advisory": "pypiserver before 1.1.7 is vulnerable to XSS attacks.",
            "cve": null,
            "id": "pyup.io-26049",
            "specs": [
                "<1.1.7"
            ],
            "v": "<1.1.7"
        },
        {
            "advisory": "pypiserver 1.2.6 mitigates potential CRLF injection attacks from malicious URLs",
            "cve": null,
            "id": "pyup.io-36843",
            "specs": [
                "<1.2.6"
            ],
            "v": "<1.2.6"
        }
    ],
    "pyplanet": [
        {
            "advisory": "pyplanet 0.6.2 - security: Upgraded library to solve security issues (requests library).",
            "cve": null,
            "id": "pyup.io-36666",
            "specs": [
                "<0.6.2"
            ],
            "v": "<0.6.2"
        },
        {
            "advisory": "Pyplanet 0.7.0 updates some libraries to fix some security issues (none of which were critical).",
            "cve": null,
            "id": "pyup.io-37476",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "pyrad": [
        {
            "advisory": "pyrad before 0.6 isn't handling timeouts in client module correctly, leading to a potential denial of service.",
            "cve": null,
            "id": "pyup.io-26050",
            "specs": [
                "<0.6"
            ],
            "v": "<0.6"
        }
    ],
    "pyradiomics": [
        {
            "advisory": "pyradiomics before 1.1.1 used `eval`which is not secure.",
            "cve": null,
            "id": "pyup.io-36302",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        }
    ],
    "pyramid": [
        {
            "advisory": "Pyramid 0.2 adds ACL-based security.",
            "cve": null,
            "id": "pyup.io-32177",
            "specs": [
                "<0.2"
            ],
            "v": "<0.2"
        },
        {
            "advisory": "Pyramid 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server.  The cherrypy server has a  security risk in it when ``REMOTE_USER`` is trusted by the downstream application.",
            "cve": null,
            "id": "pyup.io-32184",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        },
        {
            "advisory": "In pyramid before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``.  This was a security risk if left unchanged in a project that used one of the templates to produce production applications.  It now uses a randomly generated string.",
            "cve": null,
            "id": "pyup.io-32685",
            "specs": [
                "<1.0a3"
            ],
            "v": "<1.0a3"
        },
        {
            "advisory": "The default Mako renderer in pyramid 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See <https://github.com/Pylons/pyramid/issues/193>.",
            "cve": null,
            "id": "pyup.io-32194",
            "specs": [
                "<1.1a1"
            ],
            "v": "<1.1a1"
        },
        {
            "advisory": "The AuthTktAuthenticationPolicy in pyramid before 1.3a1 did not use a timing-attack-aware string comparator.  See https://github.com/Pylons/pyramid/pull/320 for more info.",
            "cve": null,
            "id": "pyup.io-32688",
            "specs": [
                "<1.3a1"
            ],
            "v": "<1.3a1"
        },
        {
            "advisory": "In pyramid 1.4a4 the ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to support newer hashing algorithms such as ``sha512``. Existing applications should consider updating if possible for improved security over the default md5 hashing.",
            "cve": null,
            "id": "pyup.io-32201",
            "specs": [
                "<1.4a4"
            ],
            "v": "<1.4a4"
        },
        {
            "advisory": "Pyramid 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: <https://github.com/Pylons/pyramid/pull/1457>. Also, it avoids timing attacks against CSRF tokens. See: <https://github.com/Pylons/pyramid/pull/1574>.",
            "cve": null,
            "id": "pyup.io-32203",
            "specs": [
                "<1.6a1"
            ],
            "v": "<1.6a1"
        },
        {
            "advisory": "pyramid before 1.6a2 isn't sanitising JSONP callbacks correctly, see CVE-2014-4671.",
            "cve": null,
            "id": "pyup.io-32204",
            "specs": [
                "<1.6a2"
            ],
            "v": "<1.6a2"
        }
    ],
    "pyramid-odesk": [
        {
            "advisory": "pyramid-odesk before 1.1.2 performs logins and logouts through GET and is vulnerable to CSRF attacks.",
            "cve": null,
            "id": "pyup.io-26051",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "pyramid-weblayer": [
        {
            "advisory": "pyramid-weblayer before 0.12 does not protect AJAX requests through the CSRF machinery.",
            "cve": null,
            "id": "pyup.io-26052",
            "specs": [
                "<0.12"
            ],
            "v": "<0.12"
        }
    ],
    "pyro": [
        {
            "advisory": "pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.",
            "cve": "CVE-2011-2765",
            "id": "pyup.io-36385",
            "specs": [
                "<3.15"
            ],
            "v": "<3.15"
        }
    ],
    "pyro4": [
        {
            "advisory": "pyro4 before 4.72 is not secure because the HMAC encryption key used with the -k command line option is plainly visible.\r\nUpgrade to 4.72 to show warnings when attempting this. In future use Pyro's 2-way SSL feature or alternatively set the HMAC key in the (new) environment variable PYRO_HMAC_KEY",
            "cve": null,
            "id": "pyup.io-36298",
            "specs": [
                "<4.72"
            ],
            "v": "<4.72"
        }
    ],
    "pyrotools": [
        {
            "advisory": "Pyrotools before 1.0.1 updates requirements.txt to make sure urllib3 is a safe version. See CVE-2019-11324.",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-37086",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "pysam": [
        {
            "advisory": "pysam  0.11.2 wraps htslib/samtools/bcfools versions 1.4.1 in response to a security fix in these libraries",
            "cve": null,
            "id": "pyup.io-34332",
            "specs": [
                "<0.11.2"
            ],
            "v": "<0.11.2"
        }
    ],
    "pysaml2": [
        {
            "advisory": "PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.",
            "cve": "CVE-2016-10127",
            "id": "pyup.io-35659",
            "specs": [
                "<4.4.0"
            ],
            "v": "<4.4.0"
        },
        {
            "advisory": "XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.",
            "cve": "CVE-2016-10149",
            "id": "pyup.io-35660",
            "specs": [
                "<4.4.0"
            ],
            "v": "<4.4.0"
        },
        {
            "advisory": "PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. See: CVE-2020-5390.",
            "cve": "CVE-2020-5390",
            "id": "pyup.io-37783",
            "specs": [
                "<5.0.0"
            ],
            "v": "<5.0.0"
        },
        {
            "advisory": "pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.",
            "cve": "CVE-2017-1000433",
            "id": "pyup.io-35700",
            "specs": [
                "<=4.4.0"
            ],
            "v": "<=4.4.0"
        },
        {
            "advisory": "Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.",
            "cve": "CVE-2017-1000246",
            "id": "pyup.io-35699",
            "specs": [
                "<=4.4.0"
            ],
            "v": "<=4.4.0"
        }
    ],
    "pysandbox": [
        {
            "advisory": "pysandbox before 1.0.2 allows access to several dict methods.",
            "cve": null,
            "id": "pyup.io-26053",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        },
        {
            "advisory": "pysandbox before 1.0.3 allows access to dict.__init__().",
            "cve": null,
            "id": "pyup.io-26054",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        },
        {
            "advisory": "pysandbox before 1.5 has several security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-26055",
            "specs": [
                "<1.5"
            ],
            "v": "<1.5"
        },
        {
            "advisory": "pysandbox before 1.6 isn't setting __builtins__ to readonly when execute() is used.",
            "cve": null,
            "id": "pyup.io-26056",
            "specs": [
                "<1.6"
            ],
            "v": "<1.6"
        }
    ],
    "pyshop": [
        {
            "advisory": "pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.",
            "cve": "CVE-2013-1630",
            "id": "pyup.io-26057",
            "specs": [
                "<0.7.1"
            ],
            "v": "<0.7.1"
        }
    ],
    "pyspf": [
        {
            "advisory": "Pyspf 2.0.1 prevents cache poisoning attacks and malformed RR attacks.",
            "cve": null,
            "id": "pyup.io-37431",
            "specs": [
                "<2.0.1"
            ],
            "v": "<2.0.1"
        }
    ],
    "pytest-aoc": [
        {
            "advisory": "pytest-aoc 1.2a6 removes security misfeature: no cookies inside setup.cfg.",
            "cve": null,
            "id": "pyup.io-37267",
            "specs": [
                "<1.2a6"
            ],
            "v": "<1.2a6"
        }
    ],
    "pytest-devpi-server": [
        {
            "advisory": "pytest-devpi-server before 1.1.0  uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26059",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "pytest-git": [
        {
            "advisory": "pytest-git before 1.1.0  uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26060",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "pytest-profiling": [
        {
            "advisory": "pytest-profiling before 1.1.0  uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26061",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "pytest-qt-app": [
        {
            "advisory": "pytest-qt-app before 1.1.0  uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26062",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "pytest-server-fixtures": [
        {
            "advisory": "pytest-server-fixtures before 1.1.0  uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26063",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "pytest-shutil": [
        {
            "advisory": "pytest-shutil before 1.1.0  uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26064",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "pytest-verbose-parametrize": [
        {
            "advisory": "pytest-verbose-parametrize before 1.1.0 uses a subshell in workspace.run.",
            "cve": null,
            "id": "pyup.io-26065",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "python": [
        {
            "advisory": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.",
            "cve": "CVE-2008-1721",
            "id": "pyup.io-33152",
            "specs": [
                "<2.5.2"
            ],
            "v": "<2.5.2"
        },
        {
            "advisory": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.",
            "cve": "CVE-2008-1887",
            "id": "pyup.io-33153",
            "specs": [
                "<2.5.2"
            ],
            "v": "<2.5.2"
        },
        {
            "advisory": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows.  NOTE: this issue is due to an incomplete fix for CVE-2007-4965.",
            "cve": "CVE-2008-1679",
            "id": "pyup.io-33151",
            "specs": [
                "<2.5.3"
            ],
            "v": "<2.5.3"
        },
        {
            "advisory": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
            "cve": "CVE-2016-0772",
            "id": "pyup.io-33154",
            "specs": [
                "<2.7.12",
                ">=3.0,<3.4.5",
                ">=3.5,<3.5.2"
            ],
            "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2"
        },
        {
            "advisory": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.",
            "cve": "CVE-2016-5636",
            "id": "pyup.io-33155",
            "specs": [
                "<2.7.12",
                ">=3.0,<3.4.5",
                ">=3.5,<3.5.2"
            ],
            "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2"
        },
        {
            "advisory": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.",
            "cve": "CVE-2011-4940",
            "id": "pyup.io-26069",
            "specs": [
                ">=2.6,<2.6.7",
                "<2.5.6c1",
                ">=2.7,<2.7.2"
            ],
            "v": ">=2.6,<2.6.7,<2.5.6c1,>=2.7,<2.7.2"
        },
        {
            "advisory": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.",
            "cve": "CVE-2011-4944",
            "id": "pyup.io-26074",
            "specs": [
                ">=2.6,<3.3"
            ],
            "v": ">=2.6,<3.3"
        },
        {
            "advisory": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
            "cve": "CVE-2012-1150",
            "id": "pyup.io-26071",
            "specs": [
                ">=2.7,<2.7.3",
                ">=3.0,<3.1.5",
                ">=3.2,<3.2.3",
                "<2.6.8"
            ],
            "v": ">=2.7,<2.7.3,>=3.0,<3.1.5,>=3.2,<3.2.3,<2.6.8"
        },
        {
            "advisory": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.",
            "cve": "CVE-2012-0845",
            "id": "pyup.io-26070",
            "specs": [
                ">=2.7,<2.7.3",
                ">=3.2,<3.2.3",
                ">=3.1,<3.1.5",
                "<2.6.8"
            ],
            "v": ">=2.7,<2.7.3,>=3.2,<3.2.3,>=3.1,<3.1.5,<2.6.8"
        },
        {
            "advisory": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.",
            "cve": "CVE-2012-2135",
            "id": "pyup.io-26076",
            "specs": [
                ">=3.1,<3.4"
            ],
            "v": ">=3.1,<3.4"
        },
        {
            "advisory": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.",
            "cve": "CVE-2011-1521",
            "id": "pyup.io-26075",
            "specs": [
                ">=3.2,<3.2.1",
                ">=2.7,<2.7.2"
            ],
            "v": ">=3.2,<3.2.1,>=2.7,<2.7.2"
        }
    ],
    "python-augeas": [
        {
            "advisory": "python-augeas before 1.0.0 is vulnerable to cross-mountpoint and symlink attacks.",
            "cve": null,
            "id": "pyup.io-26077",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "python-bugzilla": [
        {
            "advisory": "python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.",
            "cve": "CVE-2013-2191",
            "id": "pyup.io-35432",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "python-cjson": [
        {
            "advisory": "Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting (XSS) attacks involving Firefox and the end tag of a SCRIPT element.",
            "cve": "CVE-2009-4924",
            "id": "pyup.io-33160",
            "specs": [
                "<1.0.5"
            ],
            "v": "<1.0.5"
        },
        {
            "advisory": "Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function.",
            "cve": "CVE-2010-1666",
            "id": "pyup.io-33161",
            "specs": [
                "<1.0.5"
            ],
            "v": "<1.0.5"
        }
    ],
    "python-clu": [
        {
            "advisory": "Python-clu 0.5.1 removes an insecure Django requirement.",
            "cve": null,
            "id": "pyup.io-37800",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "python-dbusmock": [
        {
            "advisory": "python-dbusmock before 0.15.1 is vulnerable to a tempfile attack. When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories.",
            "cve": null,
            "id": "pyup.io-26080",
            "specs": [
                "<0.15.1"
            ],
            "v": "<0.15.1"
        },
        {
            "advisory": "Python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. See CVE-2015-1326.",
            "cve": "CVE-2015-1326",
            "id": "pyup.io-37088",
            "specs": [
                "<0.15.1"
            ],
            "v": "<0.15.1"
        }
    ],
    "python-docx": [
        {
            "advisory": "python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.",
            "cve": "CVE-2016-5851",
            "id": "pyup.io-26081",
            "specs": [
                "<0.8.6"
            ],
            "v": "<0.8.6"
        }
    ],
    "python-engineio": [
        {
            "advisory": "Python-engineio 3.5.2 removes a security alert in the requirements.",
            "cve": null,
            "id": "pyup.io-37168",
            "specs": [
                "<3.5.2"
            ],
            "v": "<3.5.2"
        },
        {
            "advisory": "Python-engineio 3.9.0 addresses potential websocket cross-origin attacks. See: <https://github.com/miguelgrinberg/python-engineio/issues/128>.",
            "cve": null,
            "id": "pyup.io-37307",
            "specs": [
                "<3.9.0"
            ],
            "v": "<3.9.0"
        },
        {
            "advisory": "An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. See: <https://github.com/miguelgrinberg/python-engineio/issues/128>.",
            "cve": "CVE-2019-13611",
            "id": "pyup.io-37288",
            "specs": [
                "<=3.8.2"
            ],
            "v": "<=3.8.2"
        }
    ],
    "python-fedora": [
        {
            "advisory": "python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection",
            "cve": "CVE-2017-1002150",
            "id": "pyup.io-35705",
            "specs": [
                "<=0.8.0"
            ],
            "v": "<=0.8.0"
        }
    ],
    "python-gnupg": [
        {
            "advisory": "python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted.",
            "cve": "CVE-2019-6690",
            "id": "pyup.io-36964",
            "specs": [
                "==0.4.3"
            ],
            "v": "==0.4.3"
        }
    ],
    "python-jose": [
        {
            "advisory": "python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.",
            "cve": "CVE-2016-7036",
            "id": "pyup.io-35682",
            "specs": [
                "<1.3.2"
            ],
            "v": "<1.3.2"
        }
    ],
    "python-keystoneclient": [
        {
            "advisory": "The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.",
            "cve": "CVE-2015-1852",
            "id": "pyup.io-26082",
            "specs": [
                "<1.4.0"
            ],
            "v": "<1.4.0"
        },
        {
            "advisory": "The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.",
            "cve": "CVE-2015-7546",
            "id": "pyup.io-26083",
            "specs": [
                "<1.5.4",
                ">=2.0,<2.3.3"
            ],
            "v": "<1.5.4,>=2.0,<2.3.3"
        },
        {
            "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass. See: CVE-2013-2166.",
            "cve": "CVE-2013-2166",
            "id": "pyup.io-37748",
            "specs": [
                ">=0.2.3,<=0.2.5"
            ],
            "v": ">=0.2.3,<=0.2.5"
        },
        {
            "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass. See CVE-2013-2167.",
            "cve": "CVE-2013-2167",
            "id": "pyup.io-37749",
            "specs": [
                ">=0.2.3,<=0.2.5"
            ],
            "v": ">=0.2.3,<=0.2.5"
        }
    ],
    "python-libtorrent": [
        {
            "advisory": "python-libtorrent before 1.0.6 has several undisclosed vulnerabilities related to uTP.",
            "cve": null,
            "id": "pyup.io-26084",
            "specs": [
                "<1.0.6"
            ],
            "v": "<1.0.6"
        }
    ],
    "python-muranoclient": [
        {
            "advisory": "OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.",
            "cve": "CVE-2016-4972",
            "id": "pyup.io-26085",
            "specs": [
                "<0.7.3",
                ">=0.8,<0.8.5"
            ],
            "v": "<0.7.3,>=0.8,<0.8.5"
        }
    ],
    "python-nomad": [
        {
            "advisory": "python-nomad before 2.20.0 made it easier for remote attackers to discover credentials by sniffing the network.",
            "cve": null,
            "id": "pyup.io-36602",
            "specs": [
                "<2.20.0"
            ],
            "v": "<2.20.0"
        }
    ],
    "python-openflow": [
        {
            "advisory": "python-openflow 2016.1.a1 fixes a undisclosed security vulnerability.",
            "cve": null,
            "id": "pyup.io-33282",
            "specs": [
                "<2016.1.a1"
            ],
            "v": "<2016.1.a1"
        },
        {
            "advisory": "python-openflow 2019.1b3 change: Updated dependencies versions in order to fix security bugs.",
            "cve": null,
            "id": "pyup.io-37224",
            "specs": [
                "<2019.1b3"
            ],
            "v": "<2019.1b3"
        }
    ],
    "python-otr": [
        {
            "advisory": "python-otr before 1.1.0 is vulnerable to man-in-the-middle attacks as it allows to restart the protocol.",
            "cve": null,
            "id": "pyup.io-26086",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "python-pptx": [
        {
            "advisory": "python-pptx before 0.6.12 used a vulnerable version of Pillow.",
            "cve": null,
            "id": "pyup.io-36382",
            "specs": [
                "<0.6.12"
            ],
            "v": "<0.6.12"
        }
    ],
    "python-saml": [
        {
            "advisory": "python-saml before 2.1.6 is vulnerable to Signature Wrapping attacks.",
            "cve": null,
            "id": "pyup.io-26087",
            "specs": [
                "<2.1.6"
            ],
            "v": "<2.1.6"
        },
        {
            "advisory": "python-saml before 2.1.9 is vulnerable to Signature Wrapping attacks.",
            "cve": null,
            "id": "pyup.io-26088",
            "specs": [
                "<2.1.9"
            ],
            "v": "<2.1.9"
        },
        {
            "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.",
            "cve": "CVE-2017-11427",
            "id": "pyup.io-35779",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],
    "python-secrets": [
        {
            "advisory": "Python-secrets 0.9.1 adds ``six`` for securing ``input`` call.",
            "cve": null,
            "id": "pyup.io-37582",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        },
        {
            "advisory": "Python-secrets before 19.10.0 adds control of umask for better file perm security.",
            "cve": null,
            "id": "pyup.io-37583",
            "specs": [
                "<19.10.0"
            ],
            "v": "<19.10.0"
        },
        {
            "advisory": "Python-secrets before 19.8.0 adds insecure permissions checking",
            "cve": null,
            "id": "pyup.io-37401",
            "specs": [
                "<19.8.0"
            ],
            "v": "<19.8.0"
        },
        {
            "advisory": "Python-secrets 19.8.3 ensures more secure permissions.",
            "cve": null,
            "id": "pyup.io-37421",
            "specs": [
                "<19.8.3"
            ],
            "v": "<19.8.3"
        }
    ],
    "python-smooch": [
        {
            "advisory": "python-smooch 1.0.4 bumps requests gem due to [vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2018-18074).",
            "cve": null,
            "id": "pyup.io-36604",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        }
    ],
    "python-socketio": [
        {
            "advisory": "Python-socketio 4.3.0 addresses potential websocket cross-origin attacks. See: <https://github.com/miguelgrinberg/python-engineio/issues/128>.",
            "cve": null,
            "id": "pyup.io-37308",
            "specs": [
                "<4.3.0"
            ],
            "v": "<4.3.0"
        }
    ],
    "python-zeep": [
        {
            "advisory": "python-zeep 0.4.0 adds defusedxml module for XML security issues.",
            "cve": null,
            "id": "pyup.io-36504",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "python3-ldap": [
        {
            "advisory": "python3-ldap before 0.9.5.4 has a security issue in lazy connections.",
            "cve": null,
            "id": "pyup.io-26089",
            "specs": [
                "<0.9.5.4"
            ],
            "v": "<0.9.5.4"
        }
    ],
    "python3-saml": [
        {
            "advisory": "python3-saml before 1.1.4 is vulnerable to signature wrapping attacks.",
            "cve": null,
            "id": "pyup.io-26090",
            "specs": [
                "<1.1.4"
            ],
            "v": "<1.1.4"
        },
        {
            "advisory": "python3-saml 1.2.0 introduces several undisclosed security improvements.",
            "cve": null,
            "id": "pyup.io-26091",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        },
        {
            "advisory": "python3-saml 1.2.6 now uses defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672)",
            "cve": null,
            "id": "pyup.io-34782",
            "specs": [
                "<1.2.6"
            ],
            "v": "<1.2.6"
        },
        {
            "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.",
            "cve": "CVE-2017-11427",
            "id": "pyup.io-35780",
            "specs": [
                "<1.4.0"
            ],
            "v": "<1.4.0"
        }
    ],
    "pytrackdat": [
        {
            "advisory": "Pytrackdat 0.2.0 validates the security of the administrator passwords.",
            "cve": null,
            "id": "pyup.io-37141",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "pytsite": [
        {
            "advisory": "pytsite before 1.2 has a critical web login security issue.",
            "cve": null,
            "id": "pyup.io-34825",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "pyupdater": [
        {
            "advisory": "pyupdater before 0.20.0 is vulnerable to session fixation attacks and potentially cookie stealing.",
            "cve": null,
            "id": "pyup.io-26092",
            "specs": [
                "<0.20.0"
            ],
            "v": "<0.20.0"
        }
    ],
    "pyvcloud": [
        {
            "advisory": "pyvcloud 20.0.0 fixes CVE-2017-18342 : Replace yaml.load() with yaml.safe\\_load()",
            "cve": null,
            "id": "pyup.io-36809",
            "specs": [
                "<20.0.0"
            ],
            "v": "<20.0.0"
        },
        {
            "advisory": "Pyvcloud 20.1.0 includes a fix for a pyyaml vulnerability found in requirements.txt",
            "cve": null,
            "id": "pyup.io-37518",
            "specs": [
                "<20.1.0"
            ],
            "v": "<20.1.0"
        }
    ],
    "pyvisa": [
        {
            "advisory": "pyvisa before 0.9 has a undisclosed security vulnerability in visa.py.",
            "cve": null,
            "id": "pyup.io-26093",
            "specs": [
                "<0.9"
            ],
            "v": "<0.9"
        }
    ],
    "pywbem": [
        {
            "advisory": "pywbem 0.13.0 increases the minimum required versions dependent Python\r\n  packages in order to fix security issues with these packages.",
            "cve": null,
            "id": "pyup.io-36927",
            "specs": [
                "<0.13.0"
            ],
            "v": "<0.13.0"
        },
        {
            "advisory": "Pywbem 1.0.0 increases versions of the following packages to address security vulnerabilities:\r\n* requests from 2.19.1 to 2.20.1\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4",
            "cve": null,
            "id": "pyup.io-37517",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "pywebsite": [
        {
            "advisory": "pywebsite 0.1.14pre's signed_url  method is now (more) immune to VS timing attacks.",
            "cve": null,
            "id": "pyup.io-26094",
            "specs": [
                "<0.1.14pre"
            ],
            "v": "<0.1.14pre"
        },
        {
            "advisory": "pywebsite before 0.1.9pre is vulnerable to length extension attacks, and value equivalence attacks.",
            "cve": null,
            "id": "pyup.io-26095",
            "specs": [
                "<0.1.9pre"
            ],
            "v": "<0.1.9pre"
        }
    ],
    "pywren-ibm-cloud": [
        {
            "advisory": "Pywren-ibm-cloud 1.0.1 fixes the flask security issues. See CVE-2018-1000656.",
            "cve": "CVE-2018-1000656",
            "id": "pyup.io-37480",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        },
        {
            "advisory": "Pywren-ibm-cloud 1.0.19 fixes the CVE-2019-12855 security alert.",
            "cve": "CVE-2019-12855",
            "id": "pyup.io-37479",
            "specs": [
                "<1.0.19"
            ],
            "v": "<1.0.19"
        }
    ],
    "pyxmlsecurity": [
        {
            "advisory": "pyxmlsecurity 0.9 protects against wrapping attacks.",
            "cve": null,
            "id": "pyup.io-26096",
            "specs": [
                "<0.9"
            ],
            "v": "<0.9"
        }
    ],
    "pyxnat": [
        {
            "advisory": "Pyxnat 1.1.0.0 fixes a vulnerability by upgrading the `requests` package.",
            "cve": null,
            "id": "pyup.io-37196",
            "specs": [
                "<1.1.0.0"
            ],
            "v": "<1.1.0.0"
        }
    ],
    "pyyaml": [
        {
            "advisory": "Pyyaml before 4 uses ``yaml.load`` which has been assigned CVE-2017-18342.",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-36333",
            "specs": [
                "<4"
            ],
            "v": "<4"
        },
        {
            "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. See: CVE-2020-1747.",
            "cve": "CVE-2020-1747",
            "id": "pyup.io-38100",
            "specs": [
                "<5.3.1"
            ],
            "v": "<5.3.1"
        }
    ],
    "qi-jabberhelpdesk": [
        {
            "advisory": "qi-jabberhelpdesk  0.30 includes unspecified security fixes, some vulnerable xml-rpc calls fixed. [ggozad]",
            "cve": null,
            "id": "pyup.io-36052",
            "specs": [
                "<0.30"
            ],
            "v": "<0.30"
        }
    ],
    "qi.jabberhelpdesk": [
        {
            "advisory": "qi.jabberhelpdesk before 0.30 has several undisclosed vulnerabilities in xml-rpc calls.",
            "cve": null,
            "id": "pyup.io-26097",
            "specs": [
                "<0.30"
            ],
            "v": "<0.30"
        }
    ],
    "quandl-fund-xlsx": [
        {
            "advisory": "quandl-fund-xlsx 0.2.1  - Minor security fix, requests version now >=2.20.0",
            "cve": null,
            "id": "pyup.io-36655",
            "specs": [
                "<0.2.1"
            ],
            "v": "<0.2.1"
        }
    ],
    "quilt": [
        {
            "advisory": "quilt 2.9.14 updates urllib3 version for security patch",
            "cve": null,
            "id": "pyup.io-36749",
            "specs": [
                "<2.9.14"
            ],
            "v": "<2.9.14"
        }
    ],
    "quintagroup-seoptimizer": [
        {
            "advisory": "quintagroup-seoptimizer  3.0.4 fixes a security issue for SEO Property action and view\r\n  http://plone.org/products/plone-seo/issues/24",
            "cve": null,
            "id": "pyup.io-36006",
            "specs": [
                "<3.0.4"
            ],
            "v": "<3.0.4"
        }
    ],
    "quintagroup.seoptimizer": [
        {
            "advisory": "quintagroup.seoptimizer before 3.0.4 has a security issue for SEO Property action and view.",
            "cve": null,
            "id": "pyup.io-26098",
            "specs": [
                "<3.0.4"
            ],
            "v": "<3.0.4"
        }
    ],
    "qurro": [
        {
            "advisory": "The text boxes in qurro 0.4.0 describing the currently-selected numerator / denominator features are now \"read-only\" (you can't edit them while using Qurro). This should remove any vulnerability to accidental edits of these text boxes.",
            "cve": null,
            "id": "pyup.io-37374",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "qutebrowser": [
        {
            "advisory": "Qutebrowser 1.0.3 ships with PyQt 5.9.1 and Qt 5.9.2 which includes security fixes from Chromium up to version 61.0.3163.79.",
            "cve": null,
            "id": "pyup.io-35044",
            "specs": [
                "<1.0.3"
            ],
            "v": "<1.0.3"
        },
        {
            "advisory": "Qutebrowser 1.1.2 ships with Qt 5.10.1 which includes security fixes from Chromium up to version 64.0.3282.140.",
            "cve": null,
            "id": "pyup.io-35786",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        },
        {
            "advisory": "Qutebrowser 1.10.0 ships with Qt/QtWebEngine 5.14.1 in the macOS and Windows releases, which are based on Chromium 77.0.3865.129 with security fixes up to Chromium 79.0.3945.117.",
            "cve": null,
            "id": "pyup.io-37811",
            "specs": [
                "<1.10.0"
            ],
            "v": "<1.10.0"
        },
        {
            "advisory": "In qutebrowser 1.3.0, support for JavaScript Shared Web Workers has been disabled on Qt versions older than 5.11 because of security issues in Chromium. You can get the same effect in earlier versions via `:set qt.args ['disable-shared-workers']`. An equivalent workaround is also contained in Qt 5.9.5 and 5.10.1.",
            "cve": null,
            "id": "pyup.io-36929",
            "specs": [
                "<1.3.0"
            ],
            "v": "<1.3.0"
        },
        {
            "advisory": "In qutebrowser 1.3.3, an XSS vulnerability on the `qute://history` page allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using `:history`. See CVE-2018-1000559.",
            "cve": "CVE-2018-1000559",
            "id": "pyup.io-37812",
            "specs": [
                "<1.3.3"
            ],
            "v": "<1.3.3"
        },
        {
            "advisory": "Qutebrowser 1.4.0 ships with Qt 5.11.1 in the macOS and Windows releases, which are based on Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87. The security fix in v1.3.3 caused URLs with ampersands (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on the `qute://history` page.",
            "cve": null,
            "id": "pyup.io-36294",
            "specs": [
                "<1.4.0"
            ],
            "v": "<1.4.0"
        },
        {
            "advisory": "Qutebrowser 1.4.1 fixes the CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See https://github.com/qutebrowser/qutebrowser/issues/4060 and CVE-2018-10895.",
            "cve": "CVE-2018-10895",
            "id": "pyup.io-36970",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        },
        {
            "advisory": "Qutebrowser 1.5.0 ships with Python 3.7, PyQt 5.11.3 and Qt 5.11.2. QtWebEngine includes security fixes up to Chromium 68.0.3440.75 and various other fixes.",
            "cve": null,
            "id": "pyup.io-36521",
            "specs": [
                "<1.5.0"
            ],
            "v": "<1.5.0"
        },
        {
            "advisory": "Qutebrowser 1.6.0 ships with Qt 5.12.1 which is based on Chromium 69.0.3497.128 with security fixes up to 71.0.3578.94.",
            "cve": null,
            "id": "pyup.io-36199",
            "specs": [
                "<1.6.0"
            ],
            "v": "<1.6.0"
        },
        {
            "advisory": "Qutebrowser 1.6.1 ships with Qt 5.12.2 in the macOS and Windows releases, which includes security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786 which is known to be exploited in the wild).",
            "cve": null,
            "id": "pyup.io-36280",
            "specs": [
                "<1.6.1"
            ],
            "v": "<1.6.1"
        },
        {
            "advisory": "Qutebrowser 1.6.2 ships with Qt 5.12.3 in the macOS and Windows releases, which includes security fixes up to Chromium 73.0.3683.75.",
            "cve": null,
            "id": "pyup.io-37120",
            "specs": [
                "<1.6.2"
            ],
            "v": "<1.6.2"
        },
        {
            "advisory": "Qutebrowser 1.7.0 ships with Qt 5.12.4 in the macOS and Windows releases, which includes security fixes up to Chromium 74.0.3729.157.",
            "cve": null,
            "id": "pyup.io-37507",
            "specs": [
                "<1.7.0"
            ],
            "v": "<1.7.0"
        },
        {
            "advisory": "Qutebrowser 1.8.0 ships with Qt 5.13.0 and QtWebEngine 5.13.1 in the macOS releases (based on Chromium 73.0.3683.105), and Qt/QtWebEngine 5.12.5 in the Windows release (based on Chromium 69.0.3497.128), which both include security fixes up to Chromium 76.0.3809.87.",
            "cve": null,
            "id": "pyup.io-37506",
            "specs": [
                "<1.8.0"
            ],
            "v": "<1.8.0"
        },
        {
            "advisory": "Qutebrowser 1.8.1 ships with Qt/QtWebEngine 5.12.5 in the macOS and Windows releases, which are based on Chromium 69.0.3497.128 with security fixes up to Chromium 76.0.3809.87.",
            "cve": null,
            "id": "pyup.io-37511",
            "specs": [
                "<1.8.1"
            ],
            "v": "<1.8.1"
        },
        {
            "advisory": "Qutebrowser 1.8.2 ships with Qt 5.12.6 in the macOS and Windows releases, which includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78.",
            "cve": null,
            "id": "pyup.io-36433",
            "specs": [
                "<1.8.2"
            ],
            "v": "<1.8.2"
        }
    ],
    "radicale": [
        {
            "advisory": "radicale before 1.1.2 is vulnerable to bruteforce attacks when using the htpasswd authentication method.",
            "cve": null,
            "id": "pyup.io-33323",
            "specs": [
                "<1.1.2"
            ],
            "v": "<1.1.2"
        }
    ],
    "raiden": [
        {
            "advisory": "Raiden 0.10.0 fixes a security issue where an attacker could eavesdrop Matrix communications between two nodes in private rooms.",
            "cve": null,
            "id": "pyup.io-37316",
            "specs": [
                "<0.10.0"
            ],
            "v": "<0.10.0"
        },
        {
            "advisory": "The Monitoring Service database in raiden before 0.2.0 (before 0.100.5.dev0) is vulnerable to timing based Monitoring Request injection. See <https://github.com/raiden-network/raiden-services/issues/418>.",
            "cve": null,
            "id": "pyup.io-37364",
            "specs": [
                "<0.2.0",
                ">=0.100,<0.100.5.dev0"
            ],
            "v": "<0.2.0,>=0.100,<0.100.5.dev0"
        }
    ],
    "raiden-services": [
        {
            "advisory": "In raiden-services before 0.2.0 , the Monitoring Service database was vulnerable to timing-based Monitoring Request injection. See: <https://github.com/raiden-network/raiden-services/issues/418>.",
            "cve": null,
            "id": "pyup.io-37317",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "rauth": [
        {
            "advisory": "rauth before 0.7.0 isn't using a secure random number generator.",
            "cve": null,
            "id": "pyup.io-26099",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "raylib": [
        {
            "advisory": "Raylib 1.1.1 adds a security check if a file doesn't exist - [textures]",
            "cve": null,
            "id": "pyup.io-37166",
            "specs": [
                "<1.1.1"
            ],
            "v": "<1.1.1"
        },
        {
            "advisory": "Raylib 1.2 adds a security check in case deployed vertex excess buffer size - [rlgl]",
            "cve": null,
            "id": "pyup.io-37165",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "rdiff-backup": [
        {
            "advisory": "Version 0.5.0 increased rdiff-backup's security by using popen2.Popen3 and os.spawnvp instead of os.popen and os.system.",
            "cve": null,
            "id": "pyup.io-38068",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        },
        {
            "advisory": "Rdiff-backup 0.9.3 adds some security features to the protocol, so rdiff-backup will now only allow commands from remote connections.  The extra security will be enabled automatically on the client (it knows what to expect), but\r\nthe extra switches --restrict, --restrict-update-only, and --restrict-read-only have been added for use with --server.",
            "cve": null,
            "id": "pyup.io-38067",
            "specs": [
                "<0.9.3"
            ],
            "v": "<0.9.3"
        },
        {
            "advisory": "Rdiff-backup 1.0.2 includes a fix for a spurious security violation from --create-full-path and a fix for bug 14545 which was introduced in version 1.0.1:  Quoting caused a spurious security violation.",
            "cve": null,
            "id": "pyup.io-38064",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        },
        {
            "advisory": "Rdiff-backup 1.1.6 fixes a security violation when restoring from a remote repository.",
            "cve": null,
            "id": "pyup.io-38063",
            "specs": [
                "<1.1.6"
            ],
            "v": "<1.1.6"
        }
    ],
    "readsettings": [
        {
            "advisory": "Readsettings 3.3.1 replaces `yaml.load` with the more secure, `yaml.safe_load`.",
            "cve": null,
            "id": "pyup.io-37027",
            "specs": [
                "<3.3.1"
            ],
            "v": "<3.3.1"
        }
    ],
    "recurly": [
        {
            "advisory": "The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource.get\" method that could result in compromise of API keys or other critical resources.",
            "cve": "CVE-2017-0906",
            "id": "pyup.io-35697",
            "specs": [
                "<=2.6.2"
            ],
            "v": "<=2.6.2"
        }
    ],
    "remme": [
        {
            "advisory": "remme 0.2.1alpha reviewed and fixed security issues on token operations.",
            "cve": null,
            "id": "pyup.io-36973",
            "specs": [
                "<0.2.1alpha"
            ],
            "v": "<0.2.1alpha"
        },
        {
            "advisory": "remme 0.5.0alpha upgrades py-cryptography to mitigate CVE-2018-10903.",
            "cve": null,
            "id": "pyup.io-36971",
            "specs": [
                "<0.5.0-alpha"
            ],
            "v": "<0.5.0-alpha"
        }
    ],
    "renku": [
        {
            "advisory": "Renku 0.6.0 updates the werkzeug package due to security concerns - see https://github.com/SwissDataScienceCenter/renku-python/issues/633",
            "cve": null,
            "id": "pyup.io-37548",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "repobee": [
        {
            "advisory": "Repobee 2.0.2 filters out secure token from `show-config` command output [92aa5cf08cc08d2647a9f22bb6ff120cd5a88360].",
            "cve": null,
            "id": "pyup.io-37383",
            "specs": [
                "<2.0.2"
            ],
            "v": "<2.0.2"
        }
    ],
    "requests": [
        {
            "advisory": "requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect.\r\n  Fix CVE-2014-1829 and CVE-2014-1830 respectively",
            "cve": null,
            "id": "pyup.io-26101",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        },
        {
            "advisory": "requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.",
            "cve": null,
            "id": "pyup.io-26102",
            "specs": [
                "<2.6.0"
            ],
            "v": "<2.6.0"
        },
        {
            "advisory": "The Requests package through 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.",
            "cve": "CVE-2018-18074",
            "id": "pyup.io-36546",
            "specs": [
                "<=2.19.1"
            ],
            "v": "<=2.19.1"
        },
        {
            "advisory": "The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.",
            "cve": "CVE-2015-2296",
            "id": "pyup.io-26103",
            "specs": [
                ">=2.1,<=2.5.3"
            ],
            "v": ">=2.1,<=2.5.3"
        }
    ],
    "requests-kerberos": [
        {
            "advisory": "requests-kerberos before 0.6 isn't handling mutual authentication correctly.",
            "cve": null,
            "id": "pyup.io-26104",
            "specs": [
                "<0.6"
            ],
            "v": "<0.6"
        }
    ],
    "responsibly": [
        {
            "advisory": "Responsibly 0.0.3 fixes security issues with its dependencies.",
            "cve": null,
            "id": "pyup.io-37335",
            "specs": [
                "<0.0.3"
            ],
            "v": "<0.0.3"
        }
    ],
    "restauth": [
        {
            "advisory": "restauth before 0.6.3 did not verify passwords for services when using SECURE_CACHE = True.",
            "cve": null,
            "id": "pyup.io-26105",
            "specs": [
                "<0.6.3"
            ],
            "v": "<0.6.3"
        }
    ],
    "restkit": [
        {
            "advisory": "Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.",
            "cve": "CVE-2015-2674",
            "id": "pyup.io-35609",
            "specs": [
                "<=4.2.2"
            ],
            "v": "<=4.2.2"
        }
    ],
    "restrictedpython": [
        {
            "advisory": "Restrictedpython 4.0 ships with a default implementation for ``_getattr_`` which prevents from using the ``format()`` method on str/unicode as it is not safe. See <http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/>.\r\n\r\n **Caution:** If you do not already have secured the access to this ``format()`` method in your ``_getattr_`` implementation use ``RestrictedPython.Guards.safer_getattr()`` in your implementation to benefit from this fix.",
            "cve": null,
            "id": "pyup.io-37433",
            "specs": [
                "<4.0"
            ],
            "v": "<4.0"
        }
    ],
    "restview": [
        {
            "advisory": "restview before 2.8.1 isn't properly checking the host header in HTTP requests, leading to possible DNS rebinding attacks. More info: https://github.com/mgedmin/restview/issues/51",
            "cve": null,
            "id": "pyup.io-35166",
            "specs": [
                "<2.8.1"
            ],
            "v": "<2.8.1"
        }
    ],
    "ricloud": [
        {
            "advisory": "ricloud 2.3.8 updates requests in requirements due to vulnerability discovery.",
            "cve": null,
            "id": "pyup.io-36723",
            "specs": [
                "<2.3.8"
            ],
            "v": "<2.3.8"
        }
    ],
    "rinzler": [
        {
            "advisory": "rinzler 2.0.5 includes a PyYAML vulnerability correction",
            "cve": null,
            "id": "pyup.io-36895",
            "specs": [
                "<2.0.5"
            ],
            "v": "<2.0.5"
        }
    ],
    "river-admin": [
        {
            "advisory": "River-admin 0.5.2 fixes a vulnerability issue with `serialize-javascript` dependency.",
            "cve": null,
            "id": "pyup.io-37698",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "robotraconteur": [
        {
            "advisory": "robotraconteur 0.9.0 changes: The `LocalTransport` file handle locations have been moved for increased security",
            "cve": null,
            "id": "pyup.io-37221",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        }
    ],
    "rope": [
        {
            "advisory": "base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.",
            "cve": "CVE-2014-3539",
            "id": "pyup.io-36155",
            "specs": [
                "<0.10"
            ],
            "v": "<0.10"
        }
    ],
    "rotten-tomatoes-cli": [
        {
            "advisory": "Rotten-tomatoes-cli 0.0.2 updates the `pyyaml`, `urllib3`, and `requests` dependencies to avoid security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37315",
            "specs": [
                "<0.0.2"
            ],
            "v": "<0.0.2"
        }
    ],
    "roundup": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.",
            "cve": "CVE-2012-6130",
            "id": "pyup.io-33162",
            "specs": [
                "<1.4.20"
            ],
            "v": "<1.4.20"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.",
            "cve": "CVE-2012-6131",
            "id": "pyup.io-33163",
            "specs": [
                "<1.4.20"
            ],
            "v": "<1.4.20"
        },
        {
            "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. See: CVE-2012-6133.",
            "cve": "CVE-2012-6133",
            "id": "pyup.io-37744",
            "specs": [
                "<1.4.20"
            ],
            "v": "<1.4.20"
        },
        {
            "advisory": "Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. See: CVE-2019-10904.",
            "cve": "CVE-2019-10904",
            "id": "pyup.io-37025",
            "specs": [
                "==1.6"
            ],
            "v": "==1.6"
        }
    ],
    "rpc4django": [
        {
            "advisory": "rpc4django before 0.2.3 is vulnerable to billion laughs denial of service attack.",
            "cve": null,
            "id": "pyup.io-26108",
            "specs": [
                "<0.2.3"
            ],
            "v": "<0.2.3"
        }
    ],
    "rply": [
        {
            "advisory": "The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.",
            "cve": "CVE-2014-1604",
            "id": "pyup.io-35520",
            "specs": [
                "<0.7.1"
            ],
            "v": "<0.7.1"
        },
        {
            "advisory": "python-rply before 0.7.4 insecurely creates temporary files. See: CVE-2014-1938.",
            "cve": "CVE-2014-1938",
            "id": "pyup.io-37755",
            "specs": [
                "<0.7.4"
            ],
            "v": "<0.7.4"
        }
    ],
    "rpyc": [
        {
            "advisory": "Rpyc 4.1.2 includes a fix for CVE-2019-16328 which was caused by a missing protocol security check.",
            "cve": "CVE-2019-16328",
            "id": "pyup.io-37525",
            "specs": [
                "<4.1.2"
            ],
            "v": "<4.1.2"
        }
    ],
    "rs-django-jet": [
        {
            "advisory": "rs-django-jet 1.0.4 fixes security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.",
            "cve": null,
            "id": "pyup.io-36903",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        }
    ],
    "rsa": [
        {
            "advisory": "rsa 2.0 includes several undisclosed security improvements.",
            "cve": null,
            "id": "pyup.io-26109",
            "specs": [
                "<2.0"
            ],
            "v": "<2.0"
        },
        {
            "advisory": "The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.",
            "cve": "CVE-2016-1494",
            "id": "pyup.io-33164",
            "specs": [
                "<3.3"
            ],
            "v": "<3.3"
        },
        {
            "advisory": "rsa before 3.4 has a undisclosed side-channel vulnerability.",
            "cve": null,
            "id": "pyup.io-26112",
            "specs": [
                "<3.4"
            ],
            "v": "<3.4"
        }
    ],
    "rsanic": [
        {
            "advisory": "rsanic before 0.2.2 is vulnerable to XSS attacks.",
            "cve": null,
            "id": "pyup.io-33007",
            "specs": [
                "<0.2.2"
            ],
            "v": "<0.2.2"
        }
    ],
    "rss2email": [
        {
            "advisory": "Rss2email 3.10 fixes SMTP security issues.",
            "cve": null,
            "id": "pyup.io-37430",
            "specs": [
                "<3.10"
            ],
            "v": "<3.10"
        }
    ],
    "rtv": [
        {
            "advisory": "rtv before 1.12.1 has a security vulnerability where malicious URLs could inject python code.",
            "cve": null,
            "id": "pyup.io-26113",
            "specs": [
                "<1.12.1"
            ],
            "v": "<1.12.1"
        }
    ],
    "ruffruffs": [
        {
            "advisory": "ruffruffs 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.",
            "cve": null,
            "id": "pyup.io-26116",
            "specs": [
                "<2.6.0"
            ],
            "v": "<2.6.0"
        }
    ],
    "s4": [
        {
            "advisory": "S4 0.4.2 upgrades boto3 to minimum requirement to fix a vulnerability in a urllib3 dependency.",
            "cve": null,
            "id": "pyup.io-37119",
            "specs": [
                "<0.4.2"
            ],
            "v": "<0.4.2"
        }
    ],
    "safety": [
        {
            "advisory": "safety before 1.8.4 included the cryptography version <2.3, which had a security vulnerability.",
            "cve": null,
            "id": "pyup.io-36367",
            "specs": [
                "<1.8.4"
            ],
            "v": "<1.8.4"
        }
    ],
    "sagemaker-containers": [
        {
            "advisory": "Sagemaker-containers 2.8.2 updates a dependency for security reasons.",
            "cve": null,
            "id": "pyup.io-38087",
            "specs": [
                "<2.8.2"
            ],
            "v": "<2.8.2"
        }
    ],
    "sanic-oauthlib": [
        {
            "advisory": "Sanic-oauthlib 0.9.1 improves security in a not further specified way.",
            "cve": null,
            "id": "pyup.io-37397",
            "specs": [
                "<0.9.1"
            ],
            "v": "<0.9.1"
        }
    ],
    "satosa": [
        {
            "advisory": "satosa before 0.6.1 uses an insecure transitive dependency (pycrypto).",
            "cve": null,
            "id": "pyup.io-34714",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        }
    ],
    "sbp": [
        {
            "advisory": "sbp 2.4.2 updates mocha away from a security vulnerability in growl [\\575](https://github.com/swift-nav/libsbp/pull/575)",
            "cve": null,
            "id": "pyup.io-36695",
            "specs": [
                "<2.4.2"
            ],
            "v": "<2.4.2"
        },
        {
            "advisory": "Sbp v2.6.5 pins minor rev versions, security fix for requests - see: https://github.com/swift-nav/libsbp/pull/709",
            "cve": null,
            "id": "pyup.io-36662",
            "specs": [
                "<2.6.5"
            ],
            "v": "<2.6.5"
        },
        {
            "advisory": "sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708)",
            "cve": null,
            "id": "pyup.io-37937",
            "specs": [
                "<2.7.0"
            ],
            "v": "<2.7.0"
        },
        {
            "advisory": "Sbp 2.7.0 updates requests to resolve security issue - see https://github.com/swift-nav/libsbp/pull/708",
            "cve": null,
            "id": "pyup.io-37642",
            "specs": [
                "<2.7.0"
            ],
            "v": "<2.7.0"
        }
    ],
    "scapy": [
        {
            "advisory": "Scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work. See: CVE-2019-1010142.",
            "cve": "CVE-2019-1010142",
            "id": "pyup.io-37285",
            "specs": [
                "==2.4.0"
            ],
            "v": "==2.4.0"
        },
        {
            "advisory": "Scapy 2.4.2 addresses a Malicious Radius Attribute DoS vulnerability. See: <https://github.com/secdev/scapy/security/advisories/GHSA-q5wg-mj9r-hp59>.",
            "cve": null,
            "id": "pyup.io-37341",
            "specs": [
                ">=2.4.0,<2.4.2"
            ],
            "v": ">=2.4.0,<2.4.2"
        }
    ],
    "sceptre": [
        {
            "advisory": "sceptre 2.3.0 fixes Jinja autoescape vulnerability",
            "cve": null,
            "id": "pyup.io-37821",
            "specs": [
                "<2.3.0"
            ],
            "v": "<2.3.0"
        }
    ],
    "scrapydd": [
        {
            "advisory": "Scrapydd 0.6.3 enhances the security by adding protection against cross-site request forgery.",
            "cve": null,
            "id": "pyup.io-37457",
            "specs": [
                "<0.6.3"
            ],
            "v": "<0.6.3"
        }
    ],
    "scvae": [
        {
            "advisory": "scvae 2.1.1 updates TensorFlow because of a security vulnerability.",
            "cve": null,
            "id": "pyup.io-37932",
            "specs": [
                "<2.1.1"
            ],
            "v": "<2.1.1"
        }
    ],
    "sdcclient": [
        {
            "advisory": "Sdcclient 0.7.0 adds support for secure commands audit.",
            "cve": null,
            "id": "pyup.io-37050",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "seed-auth-api": [
        {
            "advisory": "Seed-auth-api 0.9.3 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37441",
            "specs": [
                "<0.9.3"
            ],
            "v": "<0.9.3"
        }
    ],
    "seed-control-interface": [
        {
            "advisory": "Seed-control-interface-service 0.9.16 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37440",
            "specs": [
                "<0.9.16"
            ],
            "v": "<0.9.16"
        }
    ],
    "seed-control-interface-service": [
        {
            "advisory": "Seed-control-interface-service 0.9.6 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37442",
            "specs": [
                "<0.9.6"
            ],
            "v": "<0.9.6"
        }
    ],
    "seed-identity-store": [
        {
            "advisory": "Seed-identity-store 0.10.2 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37437",
            "specs": [
                "<0.10.2"
            ],
            "v": "<0.10.2"
        }
    ],
    "seed-message-sender": [
        {
            "advisory": "Seed-message-sender 0.10.9 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37436",
            "specs": [
                "<0.10.9"
            ],
            "v": "<0.10.9"
        }
    ],
    "seed-scheduler": [
        {
            "advisory": "Seed-scheduler 0.10.2 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37439",
            "specs": [
                "<0.10.2"
            ],
            "v": "<0.10.2"
        }
    ],
    "seed-stage-based-messaging": [
        {
            "advisory": "seed-stage-based-messaging 0.11.0 upgrades requests to fix security vulnerability",
            "cve": null,
            "id": "pyup.io-36653",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        },
        {
            "advisory": "Seed-stage-based-messaging 0.13.0 includes upgrades of dependencies with security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-37438",
            "specs": [
                "<0.13.0"
            ],
            "v": "<0.13.0"
        }
    ],
    "seldon-core": [
        {
            "advisory": "seldon-core 0.5.1 bumps pillow from 6.0.0 to 6.2.0, see: https://github.com/SeldonIO/seldon-core/pull/1062",
            "cve": null,
            "id": "pyup.io-37893",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "sentry": [
        {
            "advisory": "sentry before 0.12.2 has a security flaw where exponential numbers in specially crafted params could cause a CPU attack.",
            "cve": null,
            "id": "pyup.io-33030",
            "specs": [
                "<0.12.2"
            ],
            "v": "<0.12.2"
        },
        {
            "advisory": "sentry before 6.1.1 is vulnerable to a remote code execution exploit.",
            "cve": null,
            "id": "pyup.io-26117",
            "specs": [
                "<6.1.1"
            ],
            "v": "<6.1.1"
        },
        {
            "advisory": "sentry before 7.4.0 has a XSS vulnerability with tag values not being escaped (on the group details page).",
            "cve": null,
            "id": "pyup.io-26118",
            "specs": [
                "<7.4.0"
            ],
            "v": "<7.4.0"
        },
        {
            "advisory": "sentry before 7.5.5 is vulnerable to a XSS attack in tags and the stream filter box.",
            "cve": null,
            "id": "pyup.io-26119",
            "specs": [
                "<7.5.5"
            ],
            "v": "<7.5.5"
        },
        {
            "advisory": "sentry before 7.6.1 is vulnerable to a XSS attack in tags and the stream filter box.",
            "cve": null,
            "id": "pyup.io-26120",
            "specs": [
                "<7.6.1"
            ],
            "v": "<7.6.1"
        },
        {
            "advisory": "sentry before 8.1.4 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.",
            "cve": null,
            "id": "pyup.io-26121",
            "specs": [
                "<8.1.4"
            ],
            "v": "<8.1.4"
        },
        {
            "advisory": "sentry before 8.1.5 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.",
            "cve": null,
            "id": "pyup.io-26122",
            "specs": [
                "<8.1.5"
            ],
            "v": "<8.1.5"
        },
        {
            "advisory": "sentry before 8.2.2 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.",
            "cve": null,
            "id": "pyup.io-26123",
            "specs": [
                "<8.2.2"
            ],
            "v": "<8.2.2"
        },
        {
            "advisory": "sentry before 8.2.4 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.",
            "cve": null,
            "id": "pyup.io-26124",
            "specs": [
                "<8.2.4"
            ],
            "v": "<8.2.4"
        },
        {
            "advisory": "sentry before 8.2.5 is vulnerable to an attack which allows API keys more permission than granted within the organization.",
            "cve": null,
            "id": "pyup.io-26125",
            "specs": [
                "<8.2.5"
            ],
            "v": "<8.2.5"
        },
        {
            "advisory": "sentry before 8.3.3 is vulnerable to an attack which allows API keys more permission than granted within the organization.",
            "cve": null,
            "id": "pyup.io-26126",
            "specs": [
                "<8.3.3"
            ],
            "v": "<8.3.3"
        },
        {
            "advisory": "sentry 8.8 includes various security fixes related to CSRF and XSS.",
            "cve": null,
            "id": "pyup.io-26127",
            "specs": [
                "<8.8"
            ],
            "v": "<8.8"
        }
    ],
    "sequoia-client-sdk": [
        {
            "advisory": "sequoia-client-sdk 1.2.0 upgrades libraries `urllib3` and `requests` upgraded to solve security issues:",
            "cve": null,
            "id": "pyup.io-36949",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        },
        {
            "advisory": "Sequoia-client-sdk 2.0.0 upgrades `urllib3` and `requests` to solve security issues.",
            "cve": null,
            "id": "pyup.io-37199",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        }
    ],
    "serpscrap": [
        {
            "advisory": "Serpscrap 0.13.0 updates the dependency on chromedriver to >= 76.0.3809.68 and sqlalchemy>=1.3.7 to solve security issues and other minor update changes.",
            "cve": null,
            "id": "pyup.io-37406",
            "specs": [
                "<0.13.0"
            ],
            "v": "<0.13.0"
        }
    ],
    "sesame": [
        {
            "advisory": "sesame 0.3.0 is using a secure extraction/decryption using tempfile.",
            "cve": null,
            "id": "pyup.io-26128",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "setup-tools": [
        {
            "advisory": "setup-tools  is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34984",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "setuptools": [
        {
            "advisory": "setuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.",
            "cve": null,
            "id": "pyup.io-26129",
            "specs": [
                "<0.9.5"
            ],
            "v": "<0.9.5"
        },
        {
            "advisory": "setuptools before 1.3 has a security vulnerability in SSL match_hostname check as reported in Python 17997.",
            "cve": null,
            "id": "pyup.io-26132",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        },
        {
            "advisory": "setuptools 3.0 avoids the potential security vulnerabilities presented by use of tar archives in ez_setup.py. It also leverages the security features added to ZipFile.extract in Python 2.7.4.",
            "cve": null,
            "id": "pyup.io-26133",
            "specs": [
                "<3.0"
            ],
            "v": "<3.0"
        }
    ],
    "sevabot": [
        {
            "advisory": "sevabot before 1.1 allows arbitrary commands to be executed.",
            "cve": null,
            "id": "pyup.io-26134",
            "specs": [
                "<1.1"
            ],
            "v": "<1.1"
        }
    ],
    "sftp-cloudfs": [
        {
            "advisory": "sftp-cloudfs before 0.13.1 is using an insecure transitive dependency (ftp-cloudfs<=0.26.1).",
            "cve": null,
            "id": "pyup.io-26135",
            "specs": [
                "<0.13.1"
            ],
            "v": "<0.13.1"
        }
    ],
    "shaka-streamer": [
        {
            "advisory": "Shaka-streamer 0.3.0 fixes the PyYAML deprecation warning and YAML loading vulnerability - see: https://github.com/google/shaka-streamer/issues/35",
            "cve": null,
            "id": "pyup.io-37578",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "shiftboiler": [
        {
            "advisory": "shiftboiler before 0.6.5 included a minor security issue: If google login did not return an id, user can takeover another user's account.",
            "cve": null,
            "id": "pyup.io-36542",
            "specs": [
                "<0.6.5"
            ],
            "v": "<0.6.5"
        }
    ],
    "simple-salesforce": [
        {
            "advisory": "Simple-salesforce 1.0.0 makes the minimum version of requests v2.22.0, which allow removal of requests. This is reported as a security-related update.",
            "cve": null,
            "id": "pyup.io-38083",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "simplemonitor": [
        {
            "advisory": "simplemonitor 2.7 changes the remote monitor protocol and uses the JSON format for remote monitor protocol (more secure than pickle)",
            "cve": null,
            "id": "pyup.io-37886",
            "specs": [
                "<2.7"
            ],
            "v": "<2.7"
        }
    ],
    "simulaqron": [
        {
            "advisory": "Simulaqron 3.0.7 bumps to twisted 19.7 due to security vulnerabilities with earlier versions.",
            "cve": null,
            "id": "pyup.io-37571",
            "specs": [
                "<3.0.7"
            ],
            "v": "<3.0.7"
        }
    ],
    "slackeventsapi": [
        {
            "advisory": "slackeventsapi 2.1.0 updates minimum Flask version to address security vulnerability (45)",
            "cve": null,
            "id": "pyup.io-36729",
            "specs": [
                "<2.1.0"
            ],
            "v": "<2.1.0"
        }
    ],
    "smeagol": [
        {
            "advisory": "smeagol 0.1.0 has several known bugs and security issues that need to be addressed before it can be used in production.",
            "cve": null,
            "id": "pyup.io-34818",
            "specs": [
                "<0.1.0"
            ],
            "v": "<0.1.0"
        }
    ],
    "snappass": [
        {
            "advisory": "snappass 1.4.1 upgrades cryptography to 2.3.1 (for CVE-2018-10903)",
            "cve": null,
            "id": "pyup.io-36605",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        }
    ],
    "sncli": [
        {
            "advisory": "Sncli 0.4.0 contains a security fix for an arbitrary code execution bug. Copying text from notes to the clipboard was being performed by building a shell command to execute. This resulted in the line being copied substituted directly into the shell command. A carefully crafted line could run any arbitrary shell command, and some lines could crash the\r\nprocess causing the line to fail to copy. This fixes the issue by not using a shell to interpret the command, and\r\npassing the text to be copied directly to stdin.",
            "cve": null,
            "id": "pyup.io-37302",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "soapfish": [
        {
            "advisory": "soapfish before 0.6.0 has a potential security issue - pattern restrictions were not applied correctly.",
            "cve": null,
            "id": "pyup.io-26136",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "soappy": [
        {
            "advisory": "soappy before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
            "cve": null,
            "id": "pyup.io-26137",
            "specs": [
                "<0.12.6"
            ],
            "v": "<0.12.6"
        }
    ],
    "soappy-py3": [
        {
            "advisory": "soappy-py3 before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
            "cve": null,
            "id": "pyup.io-26138",
            "specs": [
                "<0.12.6"
            ],
            "v": "<0.12.6"
        }
    ],
    "sopel": [
        {
            "advisory": "A security issue involving an improperly named channel logs was fixed in Sopel 4.4.0.",
            "cve": null,
            "id": "pyup.io-26139",
            "specs": [
                "<4.4.0"
            ],
            "v": "<4.4.0"
        },
        {
            "advisory": "Sopel 6.3.0 uses the `requests` package for stability and security.",
            "cve": null,
            "id": "pyup.io-27413",
            "specs": [
                "<6.3.0"
            ],
            "v": "<6.3.0"
        }
    ],
    "sparselandtools": [
        {
            "advisory": "sparselandtools 1.0.1 requires newer versions of third party packages for security reasons in some cases",
            "cve": null,
            "id": "pyup.io-37929",
            "specs": [
                "<1.0.1"
            ],
            "v": "<1.0.1"
        }
    ],
    "sphinx-paragraph-extractor": [
        {
            "advisory": "Sphinx-paragraph-extractor 1.0.4 updates dependencies for security reasons.",
            "cve": null,
            "id": "pyup.io-37082",
            "specs": [
                "<1.0.4"
            ],
            "v": "<1.0.4"
        }
    ],
    "spintest": [
        {
            "advisory": "spintest 0.2.0 renders the UUID Token invisible in the log to avoid security violation, when spintest is used during the CI/CD tools",
            "cve": null,
            "id": "pyup.io-37859",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "splash": [
        {
            "advisory": "splash before 2.0.1 is vulnerable to a XSS attack in HTTP UI.",
            "cve": null,
            "id": "pyup.io-26140",
            "specs": [
                "<2.0.1"
            ],
            "v": "<2.0.1"
        },
        {
            "advisory": "In splash before 2.3.2 xvfb binds to ports in the range 6000-6200 on all available interfaces.",
            "cve": null,
            "id": "pyup.io-33045",
            "specs": [
                "<2.3.2"
            ],
            "v": "<2.3.2"
        }
    ],
    "splunk-sdk": [
        {
            "advisory": "Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.",
            "cve": "CVE-2019-5729",
            "id": "pyup.io-36969",
            "specs": [
                "<1.6.6"
            ],
            "v": "<1.6.6"
        }
    ],
    "spud": [
        {
            "advisory": "spud before 0.8 doesn't check permissions. Anybody could edit photos.",
            "cve": null,
            "id": "pyup.io-26141",
            "specs": [
                "<0.8"
            ],
            "v": "<0.8"
        }
    ],
    "sqlathanor": [
        {
            "advisory": "Sqlathanor 0.5.0 updates the ``requirements.txt`` (which does not actually indicate utilization dependencies, and instead indicates development dependencies) to upgrade a number of libraries that had recently had security vulnerabilities discovered.",
            "cve": null,
            "id": "pyup.io-37403",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        }
    ],
    "ssh-audit": [
        {
            "advisory": "Ssh-audit 2.2.0 re-classifies the very common `ssh-rsa` host key type as weak, due to practical SHA-1 attacks - see https://eprint.iacr.org/2020/014.pdf",
            "cve": null,
            "id": "pyup.io-38046",
            "specs": [
                "<2.2.0"
            ],
            "v": "<2.2.0"
        }
    ],
    "starcluster": [
        {
            "advisory": "starcluster before 0.95.3 opens up the VPC to the internet by default which is a security risk and it requires a special VPC configuration (internet gateway attached to the VPC and a route to the gateway with dest CIDR block 0.0.0.0/0 associated with the VPC subnet).  Configuring this automatically (which does not happen currently) would be a security risk and without this configuration StarCluster cannot connect to the VPC nodes even though they've been assigned a public IP.",
            "cve": null,
            "id": "pyup.io-26142",
            "specs": [
                "<0.95.3"
            ],
            "v": "<0.95.3"
        }
    ],
    "stargate": [
        {
            "advisory": "stargate before 0.4 has several undisclosed security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-26143",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "staty": [
        {
            "advisory": "Staty 1.2.3 updates requirements to fix security issues.",
            "cve": null,
            "id": "pyup.io-37049",
            "specs": [
                "<1.2.3"
            ],
            "v": "<1.2.3"
        }
    ],
    "stegano": [
        {
            "advisory": "stegano 0.8.6 fixes a potential security issue related to CVE-2018-18074.",
            "cve": null,
            "id": "pyup.io-36625",
            "specs": [
                "<0.8.6"
            ],
            "v": "<0.8.6"
        }
    ],
    "stomp.py": [
        {
            "advisory": "Stomp.py 4.1.22 reduces verbosity in logging to not include headers unless debug level is turned on. This was a potential security issue as per: <https://github.com/jasonrbriggs/stomp.py/issues/226>.",
            "cve": null,
            "id": "pyup.io-37046",
            "specs": [
                "<4.1.22"
            ],
            "v": "<4.1.22"
        }
    ],
    "stormpath": [
        {
            "advisory": "stormpath before 2.0.5 is using an insecure transitive dependency (pyjwt).",
            "cve": null,
            "id": "pyup.io-26144",
            "specs": [
                "<2.0.5"
            ],
            "v": "<2.0.5"
        },
        {
            "advisory": "stormpath before 2.5.0 doesn't validate JWT correctly.",
            "cve": null,
            "id": "pyup.io-26145",
            "specs": [
                "<2.5.0"
            ],
            "v": "<2.5.0"
        }
    ],
    "stormpath-sdk": [
        {
            "advisory": "stormpath-sdk before 2.5.0 doesn't validate JWT correctly.",
            "cve": null,
            "id": "pyup.io-26146",
            "specs": [
                "<2.5.0"
            ],
            "v": "<2.5.0"
        }
    ],
    "streamlit": [
        {
            "advisory": "The `server.address` config option in streamlit 0.57.0 binds the server to that address for added security.",
            "cve": null,
            "id": "pyup.io-38121",
            "specs": [
                "<0.57.0"
            ],
            "v": "<0.57.0"
        }
    ],
    "streamsx-kafka": [
        {
            "advisory": "streamsx-kafka 1.5.1 - resolves security vulnerabilities in third-party libs",
            "cve": null,
            "id": "pyup.io-36807",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "streamsx-objectstorage": [
        {
            "advisory": "streamsx-objectstorage 1.7.2 resolves security vulnerabilities in third-party libs #135",
            "cve": null,
            "id": "pyup.io-36618",
            "specs": [
                "<1.7.0"
            ],
            "v": "<1.7.0"
        }
    ],
    "streamsx.messagehub": [
        {
            "advisory": "streamsx.messagehub 1.5.1 resolves security vulnerabilities in third-party libs",
            "cve": null,
            "id": "pyup.io-36727",
            "specs": [
                "<1.5.1"
            ],
            "v": "<1.5.1"
        }
    ],
    "suds": [
        {
            "advisory": "cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.",
            "cve": "CVE-2013-2217",
            "id": "pyup.io-35433",
            "specs": [
                "<=0.4"
            ],
            "v": "<=0.4"
        }
    ],
    "suds-community": [
        {
            "advisory": "suds-community 0.7.0 fixes `FileCache` default cache location related security issue.",
            "cve": "CVE-2013-2217",
            "id": "pyup.io-36562",
            "specs": [
                "<0.7.0"
            ],
            "v": "<0.7.0"
        }
    ],
    "superset": [
        {
            "advisory": "Superset 0.11.0a allows for requesting access when denied on a dashboard view (#1192). It also allows to set static headers as configuration (#1126) and prevents XSS on FAB list views (#1125).",
            "cve": null,
            "id": "pyup.io-26147",
            "specs": [
                "<0.11.0a"
            ],
            "v": "<0.11.0a"
        },
        {
            "advisory": "Superset 0.14.0a improves jinja2 security by using SandboxedEnvironment (#1632) and improves the security scheme (#1587).",
            "cve": null,
            "id": "pyup.io-37486",
            "specs": [
                "<0.14.0a"
            ],
            "v": "<0.14.0a"
        },
        {
            "advisory": "Superset 0.19.1a prevents XSS markup viz (#3211).",
            "cve": null,
            "id": "pyup.io-37487",
            "specs": [
                "<0.19.1a"
            ],
            "v": "<0.19.1a"
        },
        {
            "advisory": "Superset 0.23.0a bumps dependencies with security issues (#4427). It also fixes 4 security vulnerabilities (#4390) and adds all derived FAB UserModelView views to admin only (#4180).",
            "cve": null,
            "id": "pyup.io-36204",
            "specs": [
                "<0.23.0a"
            ],
            "v": "<0.23.0a"
        },
        {
            "advisory": "Superset 0.29.0rc8a secures unsecured views and prevent regressions (#6553).",
            "cve": null,
            "id": "pyup.io-37488",
            "specs": [
                "<0.29.0rc8a"
            ],
            "v": "<0.29.0rc8a"
        },
        {
            "advisory": "Superset 0.32.0rc2.dev2a includes new, deprecate merge_perm. Also, the FAB method is fixed (#7355).",
            "cve": null,
            "id": "pyup.io-26584",
            "specs": [
                "<0.32.0rc2.dev2a"
            ],
            "v": "<0.32.0rc2.dev2a"
        },
        {
            "advisory": "Superset 0.33.0rc1a adds Flask-Talisman (#7443).",
            "cve": null,
            "id": "pyup.io-37485",
            "specs": [
                "<0.33.0rc1a"
            ],
            "v": "<0.33.0rc1a"
        },
        {
            "advisory": "Superset 0.34.0a adds docstrings and type hints (#7952), and bumps python libs, addressing insecure releases (#7550).",
            "cve": null,
            "id": "pyup.io-26602",
            "specs": [
                "<0.34.0a"
            ],
            "v": "<0.34.0a"
        }
    ],
    "superset-hand": [
        {
            "advisory": "superset-hand before 0.11.0 is vulnerable to a XSS attack on FAB list views.",
            "cve": null,
            "id": "pyup.io-26148",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        }
    ],
    "superset-tddv": [
        {
            "advisory": "superset-tddv before 0.11.0 is vulnerable to a XSS attack on FAB list views.",
            "cve": null,
            "id": "pyup.io-26149",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        }
    ],
    "supervisor": [
        {
            "advisory": "In supervisor before 3.3.3 (fix backported to 3.2.4, 3.1.4 and 3.0.1) a vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server. The commands will be run as the same user as ``supervisord``.  Depending on how ``supervisord`` has been configured, this may be root.  See https://github.com/Supervisor/supervisor/issues/964 for details.",
            "cve": null,
            "id": "pyup.io-34840",
            "specs": [
                ">=3.3,<3.3.3",
                ">=3.2,<3.2.4",
                ">=3.1,<3.1.4",
                "<3.0.1"
            ],
            "v": ">=3.3,<3.3.3,>=3.2,<3.2.4,>=3.1,<3.1.4,<3.0.1"
        }
    ],
    "swauth": [
        {
            "advisory": "swauth before 1.1.0 has multiple undisclosed security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-26150",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "swift": [
        {
            "advisory": "swift before 2.6.0 is vulnerable to an attack where an unfinished read of a large object would leak a socket file descriptor and a small amount of memory. (CVE-2016-0738)",
            "cve": null,
            "id": "pyup.io-26151",
            "specs": [
                "<2.6.0"
            ],
            "v": "<2.6.0"
        }
    ],
    "swifter": [
        {
            "advisory": "Swifter 0.292 fixes a known security vulnerability in parso <= 0.4.0 by requiring parso > 0.4.0",
            "cve": null,
            "id": "pyup.io-37369",
            "specs": [
                "<0.292"
            ],
            "v": "<0.292"
        }
    ],
    "syft": [
        {
            "advisory": "Syft 0.2.3:\r\n* Fixes a potential security issue with unsafe YAML loading\r\n* Removes an insecure eval in native tensor interpreter",
            "cve": null,
            "id": "pyup.io-37958",
            "specs": [
                "<0.2.3"
            ],
            "v": "<0.2.3"
        },
        {
            "advisory": "syft 0.2.3.a1 removes an insecure eval in native tensor interpreter",
            "cve": null,
            "id": "pyup.io-37930",
            "specs": [
                "<0.2.3.a1"
            ],
            "v": "<0.2.3.a1"
        }
    ],
    "synse": [
        {
            "advisory": "Synse 2.2.6 updates pyyaml version for CVE-2017-18342. See: <https://github.com/vapor-ware/synse-server/pull/239>.",
            "cve": "CVE-2017-18342",
            "id": "pyup.io-37393",
            "specs": [
                "<2.2.6"
            ],
            "v": "<2.2.6"
        }
    ],
    "tablib": [
        {
            "advisory": "An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.",
            "cve": "CVE-2017-2810",
            "id": "pyup.io-35731",
            "specs": [
                "<0.11.4"
            ],
            "v": "<0.11.4"
        }
    ],
    "tahoe-lafs": [
        {
            "advisory": "tahoe-lafs before 1.2.0 doesn't make the immutable-file \"ciphertext hash tree\" mandatory.",
            "cve": null,
            "id": "pyup.io-26152",
            "specs": [
                "<1.2.0"
            ],
            "v": "<1.2.0"
        },
        {
            "advisory": "tahoe-lafs before 1.4.1 is vulnerable to timing attacks due to our use of strcmp against the write-enabler.",
            "cve": null,
            "id": "pyup.io-26153",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        },
        {
            "advisory": "tahoe-lafs before 1.8.3 has a flaw that would allow a person who knows a storage index of a file to delete shares of that file.",
            "cve": null,
            "id": "pyup.io-26154",
            "specs": [
                "<1.8.3"
            ],
            "v": "<1.8.3"
        },
        {
            "advisory": "tahoe-lafs before 1.9.1 has a flaw that would allow servers to cause undetected corruption when\r\n  retrieving the contents of mutable files (both SDMF and MDMF).",
            "cve": null,
            "id": "pyup.io-26155",
            "specs": [
                "<1.9.1"
            ],
            "v": "<1.9.1"
        }
    ],
    "taskcluster": [
        {
            "advisory": "Taskcluster 24.1.3 fixes a possible XSS vulnerability with the lazylog viewer - see: http://bugzil.la/1605933",
            "cve": null,
            "id": "pyup.io-37675",
            "specs": [
                "<24.1.3"
            ],
            "v": "<24.1.3"
        }
    ],
    "tbats": [
        {
            "advisory": "Tbats 1.0.7 upgrades its dependencies due to an vulnerability in Jinja2. In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.",
            "cve": null,
            "id": "pyup.io-37051",
            "specs": [
                "<1.0.7"
            ],
            "v": "<1.0.7"
        },
        {
            "advisory": "Tbats 1.0.8 upgrades its dependencies due to an vulnerability in urllib3. See CVE-2019-11324.",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-37336",
            "specs": [
                "<1.0.8"
            ],
            "v": "<1.0.8"
        }
    ],
    "telemeta": [
        {
            "advisory": "telemeta before 1.4.31 has a undisclosed security vulnerability in TELEMETA_EXPORT_CACHE_DIR.",
            "cve": null,
            "id": "pyup.io-26156",
            "specs": [
                "<1.4.31"
            ],
            "v": "<1.4.31"
        }
    ],
    "telnet": [
        {
            "advisory": "telnet is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34985",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "tendenci": [
        {
            "advisory": "tendenci 11.1.1 updates Django version to 1.11.20 to patch a security issue in django 1.11.18",
            "cve": null,
            "id": "pyup.io-36888",
            "specs": [
                "<11.1.1"
            ],
            "v": "<11.1.1"
        },
        {
            "advisory": "Tendenci 11.2.12 strips null bytes to avoid null byte injection attacks.",
            "cve": null,
            "id": "pyup.io-37350",
            "specs": [
                "<11.2.12"
            ],
            "v": "<11.2.12"
        },
        {
            "advisory": "Tendenci 11.2.8 upgrades bootstrap from 3.3.1 to 3.4.1. There are XSS vulnerabilities in version lower than 3.4.1.",
            "cve": null,
            "id": "pyup.io-37150",
            "specs": [
                "<11.2.8"
            ],
            "v": "<11.2.8"
        },
        {
            "advisory": "Tendenci 7.4.0 disables GZipMiddleware to prevent BREACH attacks and prevents fraudulent simultaneous reuse of PayPal transactions.",
            "cve": null,
            "id": "pyup.io-35055",
            "specs": [
                "<7.4.0"
            ],
            "v": "<7.4.0"
        }
    ],
    "teneto": [
        {
            "advisory": "In teneto 0.4.5, save_tenetobids_snapshot to export current teneto settings. save_to_pickle (and corresponding load function) have been removed as they are not secure.",
            "cve": null,
            "id": "pyup.io-37550",
            "specs": [
                "<0.4.5"
            ],
            "v": "<0.4.5"
        }
    ],
    "tensorflow": [
        {
            "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.",
            "cve": null,
            "id": "pyup.io-36375",
            "specs": [
                "<1.10.0"
            ],
            "v": "<1.10.0"
        },
        {
            "advisory": "Tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.",
            "cve": null,
            "id": "pyup.io-37167",
            "specs": [
                "<1.12.2"
            ],
            "v": "<1.12.2"
        },
        {
            "advisory": "Tensorflow 2.0 fixes a potential security vulnerability where decoding variant tensors from proto could result in heap out of bounds memory access.",
            "cve": null,
            "id": "pyup.io-37524",
            "specs": [
                "<2.0"
            ],
            "v": "<2.0"
        },
        {
            "advisory": "Tensorflow 1.15.2 and 2.0.1 update `sqlite3` to `3.30.01` to handle CVE-2019-19646, CVE-2019-19645 and CVE-2019-16168.",
            "cve": null,
            "id": "pyup.io-38038",
            "specs": [
                ">=1.0,<1.15.2",
                ">=2.0.0a0,<2.0.1"
            ],
            "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1"
        },
        {
            "advisory": "In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. See: CVE-2020-5215.",
            "cve": "CVE-2020-5215",
            "id": "pyup.io-37776",
            "specs": [
                ">=1.0,<1.15.2",
                ">=2.0.0a0,<2.0.1"
            ],
            "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1"
        },
        {
            "advisory": "Tensorflow 1.15.2 and 2.0.1 update `curl` to `7.66.0` to handle CVE-2019-5482 and CVE-2019-5481.",
            "cve": "CVE-2019-5482, CVE-2019-5481",
            "id": "pyup.io-38039",
            "specs": [
                ">=1.0,<1.15.2",
                ">=2.0.0a0,<2.0.1"
            ],
            "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1"
        }
    ],
    "textract": [
        {
            "advisory": "textract before 1.5.0 doesn't properly uses subprocess.call.",
            "cve": null,
            "id": "pyup.io-26157",
            "specs": [
                "<1.5.0"
            ],
            "v": "<1.5.0"
        }
    ],
    "tf-encrypted": [
        {
            "advisory": "Tf-encrypted before 0.5.1 did not include  a secure version of `tf.negative`.",
            "cve": null,
            "id": "pyup.io-37058",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "thamos": [
        {
            "advisory": "Thamos 0.1.0 uses yaml.safe_load for security reasons.",
            "cve": null,
            "id": "pyup.io-37295",
            "specs": [
                "<0.1.0"
            ],
            "v": "<0.1.0"
        }
    ],
    "thorn": [
        {
            "advisory": "thorn before 1.1.0 has several security vulnerabilities: Now provides HMAC signing by default, No longer dispatches webhooks to internal networks, Now only dispatches to HTTP and HTTPS URLs by default, Now only dispatches to ports 80 and 443 by default, Adds recipient validators",
            "cve": null,
            "id": "pyup.io-26158",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        }
    ],
    "thrift": [
        {
            "advisory": "Thrift 0.11.0 improves SSL security by adding cross client checks to make sure SSLv3 protocol cannot be negotiated - see: https://issues.apache.org/jira/browse/THRIFT-4084",
            "cve": null,
            "id": "pyup.io-37644",
            "specs": [
                "<0.11.0"
            ],
            "v": "<0.11.0"
        },
        {
            "advisory": "Thrift 0.9 fixes a denial of Service attack in TBinaryProtocol.readString - see: https://issues.apache.org/jira/browse/THRIFT-2272",
            "cve": null,
            "id": "pyup.io-37646",
            "specs": [
                "<0.9"
            ],
            "v": "<0.9"
        },
        {
            "advisory": "Thrift 0.9.3 fixes:\r\n- C++ TSSLSocket shutdown delay/vulnerability - see: https://issues.apache.org/jira/browse/THRIFT-3061\r\n- Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation - see: https://issues.apache.org/jira/browse/THRIFT-3164",
            "cve": null,
            "id": "pyup.io-37645",
            "specs": [
                "<0.9.3"
            ],
            "v": "<0.9.3"
        },
        {
            "advisory": "Thrift 0.9.3.1 fixes CVE-2018-1320 in 0.9.3 - see: https://issues.apache.org/jira/browse/THRIFT-4506",
            "cve": "CVE-2018-1320",
            "id": "pyup.io-37643",
            "specs": [
                "<0.9.3.1"
            ],
            "v": "<0.9.3.1"
        }
    ],
    "tiddlyweb": [
        {
            "advisory": "tiddlyweb before 1.2.18 allowed empty passwords to authenticate.",
            "cve": null,
            "id": "pyup.io-26159",
            "specs": [
                "<1.2.18"
            ],
            "v": "<1.2.18"
        }
    ],
    "tinydb": [
        {
            "advisory": "tinydb-serialization before 2.0.0 has an insecure implementation in ``ConcurrencyMiddleware``.",
            "cve": null,
            "id": "pyup.io-26160",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        }
    ],
    "tlslite": [
        {
            "advisory": "The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash).",
            "cve": "CVE-2015-3220",
            "id": "pyup.io-35614",
            "specs": [
                "<0.4.9"
            ],
            "v": "<0.4.9"
        }
    ],
    "tmc": [
        {
            "advisory": "tmc 0.3.5 fixes a vulnerability where symlinks in zips could be used to read any file on the server where the server had read access.",
            "cve": null,
            "id": "pyup.io-34672",
            "specs": [
                "<0.3.5"
            ],
            "v": "<0.3.5"
        }
    ],
    "tornado": [
        {
            "advisory": "CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.",
            "cve": "CVE-2012-2374",
            "id": "pyup.io-26161",
            "specs": [
                "<2.2.1"
            ],
            "v": "<2.2.1"
        }
    ],
    "tqdm": [
        {
            "advisory": "The tqdm._version module in tqdm versions before 4.11.2 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.",
            "cve": null,
            "id": "pyup.io-34741",
            "specs": [
                "<4.11.2"
            ],
            "v": "<4.11.2"
        }
    ],
    "tracauthopenid": [
        {
            "advisory": "tracauthopenid before 0.4.4 does not properly authorize if no email address was returned via AX or SREG, the ``email_white_list`` config option was being ignored.  Now if ``email_white_list`` is set and no email address can be determined, authorization will be denied.",
            "cve": null,
            "id": "pyup.io-26162",
            "specs": [
                "<0.4.4"
            ],
            "v": "<0.4.4"
        }
    ],
    "trash-cli": [
        {
            "advisory": "trash-cli before 0.17.1.14 has a bug that causes trash-put to use $topdir/.Trash/UID trashcan even when it is not secure and $topdir/.Trash-UID should be used instead.",
            "cve": null,
            "id": "pyup.io-34319",
            "specs": [
                "<0.17.1.14"
            ],
            "v": "<0.17.1.14"
        }
    ],
    "trio-websockets": [
        {
            "advisory": "trio-websockets before 5.0 was vulnerable to denial of service by memory exhaustion because it didn't enforce ``max_size`` when decompressing compressed messages.",
            "cve": null,
            "id": "pyup.io-36390",
            "specs": [
                "<5.0"
            ],
            "v": "<5.0"
        }
    ],
    "tripleo-heat-templates": [
        {
            "advisory": "The TripleO Heat templates (tripleo-heat-templates), when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter.",
            "cve": "CVE-2015-5303",
            "id": "pyup.io-26163",
            "specs": [
                "<0.8.10",
                "==1.0.0"
            ],
            "v": "<0.8.10,==1.0.0"
        },
        {
            "advisory": "The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.",
            "cve": "CVE-2015-5271",
            "id": "pyup.io-26164",
            "specs": [
                "<0.8.7"
            ],
            "v": "<0.8.7"
        }
    ],
    "trosnoth": [
        {
            "advisory": "trosnoth before 1.13.0 had insecure hard-coded server settings in the configuration file.",
            "cve": null,
            "id": "pyup.io-36954",
            "specs": [
                "<1.13.0"
            ],
            "v": "<1.13.0"
        }
    ],
    "trustpilot": [
        {
            "advisory": "Trustpilot 6.1.0 includes security upgrades of the requests and urllib dependencies.",
            "cve": null,
            "id": "pyup.io-38105",
            "specs": [
                "<6.1.0"
            ],
            "v": "<6.1.0"
        }
    ],
    "tryton": [
        {
            "advisory": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.",
            "cve": "CVE-2012-0215",
            "id": "pyup.io-26165",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],
    "trytond": [
        {
            "advisory": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.",
            "cve": "CVE-2012-0215",
            "id": "pyup.io-26166",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],
    "tuf": [
        {
            "advisory": "Tuf 0.11.1 prevents a persistent freeze attack - see: https://github.com/theupdateframework/tuf/pull/737",
            "cve": null,
            "id": "pyup.io-36279",
            "specs": [
                "<0.11.1"
            ],
            "v": "<0.11.1"
        },
        {
            "advisory": "Tuf 1.3 fixes security issues with pip's use of temp build directories.",
            "cve": null,
            "id": "pyup.io-26167",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        }
    ],
    "tweepy": [
        {
            "advisory": "Tweepy does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python httplib library.",
            "cve": "CVE-2012-5825",
            "id": "pyup.io-26168",
            "specs": [
                "<3.0"
            ],
            "v": "<3.0"
        }
    ],
    "twilio": [
        {
            "advisory": "twilio before 3.5.0 is vulnerable to a timing attack vector in signature validation.",
            "cve": null,
            "id": "pyup.io-26169",
            "specs": [
                "<3.5.0"
            ],
            "v": "<3.5.0"
        }
    ],
    "twine": [
        {
            "advisory": "Twine 2.0.0 bumps requests to 2.20 (or later) to avoid reported security vulnerabilities in earlier releases (bug 491).",
            "cve": null,
            "id": "pyup.io-37504",
            "specs": [
                "<2.0.0"
            ],
            "v": "<2.0.0"
        }
    ],
    "twisted": [
        {
            "advisory": "In twisted Core 17.1.0, twisted.internet.ssl.CertificateOptions has the new constructor argument 'raiseMinimumTo', allowing you to increase the minimum TLS version to this version or Twisted's default, whichever is higher. The additional new constructor arguments 'lowerMaximumSecurityTo' and 'insecurelyLowerMinimumTo' allow finer grained control over negotiated versions that don't honour Twisted's defaults, for working around broken peers, at the cost of reducing the security of the TLS it will negotiate. (#6800)",
            "cve": null,
            "id": "pyup.io-34914",
            "specs": [
                "<17.1.0"
            ],
            "v": "<17.1.0"
        },
        {
            "advisory": "Before twisted 19.2.0, the twisted.web.client.Request and twisted.web.client.HTTPClient were both vulnerable to header injection attacks.  They now replace linear whitespace ('\\r', '\\n', and '\\r\\n') with a single space. (#9421)",
            "cve": null,
            "id": "pyup.io-37040",
            "specs": [
                "<19.2.0"
            ],
            "v": "<19.2.0"
        },
        {
            "advisory": "In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.",
            "cve": "CVE-2019-12387",
            "id": "pyup.io-37209",
            "specs": [
                "<19.2.1"
            ],
            "v": "<19.2.1"
        },
        {
            "advisory": "In twisted 19.7.0, twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer properly verifies the server's certificate against platform CAs and the stream's domain, mitigating CVE-2019-12855. (#9561)",
            "cve": "CVE-2019-12855",
            "id": "pyup.io-37554",
            "specs": [
                "<19.7.0"
            ],
            "v": "<19.7.0"
        },
        {
            "advisory": "In twisted before 20.3.0, twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header and now fail with a 400; requests whose Transfer-Encoding header had a value other than \"chunked\" and \"identity\" were allowed and now fail with a 400. (9770)",
            "cve": "CVE-2020-10108,CVE-2020-10109",
            "id": "pyup.io-38085",
            "specs": [
                "<20.3.0"
            ],
            "v": "<20.3.0"
        }
    ],
    "twitchirc": [
        {
            "advisory": "twitchirc before 1.3 does not include a secure option to [`Connection`](twitchirc/twitchirc/connection.py)",
            "cve": null,
            "id": "pyup.io-37820",
            "specs": [
                "<1.3"
            ],
            "v": "<1.3"
        }
    ],
    "twodolib": [
        {
            "advisory": "Twodolib 0.5.1 updated its requirements for security reasons.",
            "cve": null,
            "id": "pyup.io-37306",
            "specs": [
                "<0.5.1"
            ],
            "v": "<0.5.1"
        }
    ],
    "udata": [
        {
            "advisory": "Udata 1.6.16 prevents Google ranking spam attacks on reuse pages (`rel=nofollow` on reuse link) - see: https://github.com/opendatateam/udata/pull/2320",
            "cve": null,
            "id": "pyup.io-37589",
            "specs": [
                "<1.6.16"
            ],
            "v": "<1.6.16"
        }
    ],
    "ugoira": [
        {
            "advisory": "Ugoira 0.5.0 uses secure protocol (HTTPS) instead of naive (HTTP).",
            "cve": null,
            "id": "pyup.io-37200",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        }
    ],
    "unicef-locations": [
        {
            "advisory": "unicef-locations 1.4.2 updates requirements, django security alert, and moved to psycopg2-binary",
            "cve": null,
            "id": "pyup.io-36717",
            "specs": [
                "<1.4.2"
            ],
            "v": "<1.4.2"
        }
    ],
    "unicef-rest-export": [
        {
            "advisory": "unicef-rest-export 0.5.2 updates django and pyyaml requirements for security patches",
            "cve": null,
            "id": "pyup.io-36990",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "unleashclient": [
        {
            "advisory": "unleashclient 1.0.2 updates requests version to address security issue in dependency.",
            "cve": null,
            "id": "pyup.io-36585",
            "specs": [
                "<1.0.2"
            ],
            "v": "<1.0.2"
        }
    ],
    "urlib3": [
        {
            "advisory": "urlib3 is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34986",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "urllib": [
        {
            "advisory": "urllib is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/",
            "cve": null,
            "id": "pyup.io-34987",
            "specs": [
                ">0",
                "<0"
            ],
            "v": ">0,<0"
        }
    ],
    "urllib3": [
        {
            "advisory": "urllib3 before 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.",
            "cve": "CVE-2018-20060",
            "id": "pyup.io-36541",
            "specs": [
                "<1.23"
            ],
            "v": "<1.23"
        },
        {
            "advisory": "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. See: CVE-2019-11324.",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-37071",
            "specs": [
                "<1.24.2"
            ],
            "v": "<1.24.2"
        },
        {
            "advisory": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. See: CVE-2019-11236.",
            "cve": "CVE-2019-11236",
            "id": "pyup.io-37055",
            "specs": [
                "<=1.24.1"
            ],
            "v": "<=1.24.1"
        },
        {
            "advisory": "Users who are using urllib3 version 1.17 or 1.18 along with PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This release fixes a vulnerability whereby urllib3 in the above configuration would silently fail to validate TLS certificates due to erroneously setting invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous flags do not cause a problem in OpenSSL versions before 1.1.0, which interprets the presence of any flag as requesting certificate validation.",
            "cve": null,
            "id": "pyup.io-26170",
            "specs": [
                "==1.17",
                "==1.18"
            ],
            "v": "==1.17,==1.18"
        },
        {
            "advisory": "The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). See: CVE-2020-7212.",
            "cve": "CVE-2020-7212",
            "id": "pyup.io-27519",
            "specs": [
                ">=1.25.2,<=1.25.7"
            ],
            "v": ">=1.25.2,<=1.25.7"
        }
    ],
    "verifone": [
        {
            "advisory": "verifone 0.1.8 updates Pipfiles and requirement files. There was security issue in PyYAML module.",
            "cve": null,
            "id": "pyup.io-36774",
            "specs": [
                "<0.1.8"
            ],
            "v": "<0.1.8"
        }
    ],
    "vermin": [
        {
            "advisory": "Vermin 0.10.1 fixes the security advisory by upgrading bleach from 3.1.0 to 3.1.1.",
            "cve": null,
            "id": "pyup.io-38033",
            "specs": [
                "<0.10.1"
            ],
            "v": "<0.10.1"
        },
        {
            "advisory": "vermin 0.4.11 Due to a security vulnerability in PyYAML <=3.13, it has been updated to 4.2b1.",
            "cve": null,
            "id": "pyup.io-36942",
            "specs": [
                "<0.4.11"
            ],
            "v": "<0.4.11"
        },
        {
            "advisory": "vermin 0.4.8 updates `requests` to 2.20.0 to avoid security vulnerability in <=2.19.1",
            "cve": null,
            "id": "pyup.io-36603",
            "specs": [
                "<0.4.8"
            ],
            "v": "<0.4.8"
        },
        {
            "advisory": "vermin 0.4.9 updates a security vulnerability in `urllib3` <1.23. It has been updated to 1.24.1. `requests` has been updates to 2.20.0 in v0.4.8.",
            "cve": null,
            "id": "pyup.io-36725",
            "specs": [
                "<0.4.9"
            ],
            "v": "<0.4.9"
        },
        {
            "advisory": "Vermin 0.5.0 upgrades urllib3 to version 1.24.2 due to a security vulnerability. See CVE-2019-11324.",
            "cve": "CVE-2019-11324",
            "id": "pyup.io-37094",
            "specs": [
                "<0.5.0"
            ],
            "v": "<0.5.0"
        }
    ],
    "vips-hash": [
        {
            "advisory": "Vips-hash 0.2.0 sets `pycryptodomex` version to `>=3.6.6,<4` to fix a vulnerability.",
            "cve": null,
            "id": "pyup.io-37354",
            "specs": [
                "<0.2.0"
            ],
            "v": "<0.2.0"
        }
    ],
    "virtualenv": [
        {
            "advisory": "virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.",
            "cve": "CVE-2011-4617",
            "id": "pyup.io-26172",
            "specs": [
                "<1.5"
            ],
            "v": "<1.5"
        }
    ],
    "virustotal-python": [
        {
            "advisory": "Virustotal-python 0.0.3 updates urllib3 to 1.24.2 for security reasons. See CVE-2019-11236.",
            "cve": "CVE-2019-11236",
            "id": "pyup.io-37078",
            "specs": [
                "<0.0.3"
            ],
            "v": "<0.0.3"
        },
        {
            "advisory": "Virustotal-python 0.0.8 bumps dependencies to address security issues",
            "cve": null,
            "id": "pyup.io-37960",
            "specs": [
                "<0.0.8"
            ],
            "v": "<0.0.8"
        }
    ],
    "vnccollab.theme": [
        {
            "advisory": "vnccollab.theme before 1.5.2 has an undisclosed vulnerability in VNC Zimlet.",
            "cve": null,
            "id": "pyup.io-26173",
            "specs": [
                "<1.5.2"
            ],
            "v": "<1.5.2"
        }
    ],
    "vorta": [
        {
            "advisory": "Vorta 0.6.21 includes a not further specified, small security improvement.",
            "cve": null,
            "id": "pyup.io-37332",
            "specs": [
                "<0.6.21"
            ],
            "v": "<0.6.21"
        }
    ],
    "wagtail-2fa": [
        {
            "advisory": "Wagtail-2fa 1.1.0 requires the user to enter their password when creating a new token. This is done based on feedback of a security test by an external company.",
            "cve": null,
            "id": "pyup.io-37614",
            "specs": [
                "<1.1.0"
            ],
            "v": "<1.1.0"
        },
        {
            "advisory": "wagtail-2fa 1.4.1 resolve a possible vulnerability where users could delete other users' 2FA devices",
            "cve": null,
            "id": "pyup.io-37860",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        }
    ],
    "waitress": [
        {
            "advisory": "Waitress 0.9.0 adds in checking for line feed/carriage return HTTP Response Splitting in the status line, as well as\r\n  the key of a header. See https://github.com/Pylons/waitress/pull/124 and https://github.com/Pylons/waitress/issues/122.",
            "cve": null,
            "id": "pyup.io-36764",
            "specs": [
                "<0.9.0"
            ],
            "v": "<0.9.0"
        },
        {
            "advisory": "Waitress before 1.0.0 drops HTTP headers that contain an underscore in the key when received from a client. This is to stop any possible underscore/dash conflation that may lead to security issues. See: https://github.com/Pylons/waitress/pull/80 and https://www.djangoproject.com/weblog/2015/jan/13/security/",
            "cve": null,
            "id": "pyup.io-26174",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        },
        {
            "advisory": "waitress 1.2.0b1 provides a new security feature when using Waitress behind a proxy in that it is possible to remove untrusted proxy headers thereby making sure that downstream WSGI applications don't accidentally use those proxy headers to make security decisions",
            "cve": null,
            "id": "pyup.io-26390",
            "specs": [
                "<1.2.0b1"
            ],
            "v": "<1.2.0b1"
        },
        {
            "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\nCVE-ID: CVE-2019-16785\r\nCVE-ID: CVE-2019-16786",
            "cve": "CVE-2019-16785, CVE-2019-16786",
            "id": "pyup.io-37822",
            "specs": [
                "<1.4.0"
            ],
            "v": "<1.4.0"
        },
        {
            "advisory": "1.4.1 introduces a function which strips whitespace from header values to prevent accidentally treatment of non-printable characters as whitespace, leading to a potential HTTP request smuggling/splitting security issue - see https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 and CVE-2019-16789",
            "cve": "CVE-2019-16789",
            "id": "pyup.io-37674",
            "specs": [
                "<1.4.1"
            ],
            "v": "<1.4.1"
        },
        {
            "advisory": "Waitress 1.4.2 improves a function (introduced in 1.4.1) that strips whitespace from header values to prevent accidentally treatment of non-printable characters as whitespace, leading to a potential HTTP request smuggling/splitting security issue - see https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 and CVE-ID: CVE-2019-16789",
            "cve": "CVE-2019-16789",
            "id": "pyup.io-37673",
            "specs": [
                "<1.4.2"
            ],
            "v": "<1.4.2"
        },
        {
            "advisory": "waitress 1.4.3 fixes a regular expression function (introduced in 1.4.2 to make sure that it matches RFC7230) that led to catastrophic backtracking which allows for a Denial of Service and CPU usage going to a 100% - see https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc",
            "cve": null,
            "id": "pyup.io-37667",
            "specs": [
                "<1.4.3"
            ],
            "v": "<1.4.3"
        }
    ],
    "wandb": [
        {
            "advisory": "Socket in wandb 0.8.0 only binds to localhost for improved security and prevents firewall warnings in OSX.",
            "cve": null,
            "id": "pyup.io-37149",
            "specs": [
                "<0.8.0"
            ],
            "v": "<0.8.0"
        }
    ],
    "wasmer": [
        {
            "advisory": "Wasmer 0.2.1 updates the hashing algorithm for caching to be crypto-secure.",
            "cve": null,
            "id": "pyup.io-37044",
            "specs": [
                "<0.2.1"
            ],
            "v": "<0.2.1"
        }
    ],
    "watchmaker": [
        {
            "advisory": "watchmaker 0.14.0 implements additional Salt states to address security scan issues",
            "cve": null,
            "id": "pyup.io-36948",
            "specs": [
                "<0.14.0"
            ],
            "v": "<0.14.0"
        }
    ],
    "web-py": [
        {
            "advisory": "web-py  0.39 fixes a security issue with the form and db module.",
            "cve": null,
            "id": "pyup.io-35893",
            "specs": [
                "<0.39"
            ],
            "v": "<0.39"
        },
        {
            "advisory": "Web-py 0.39 fixes a security issue with the form module (tx Orange Tsai) and a security issue with the db module (tx Adri\u00e1n Brav and Orange Tsai).",
            "cve": null,
            "id": "pyup.io-35894",
            "specs": [
                "<0.39"
            ],
            "v": "<0.39"
        }
    ],
    "web.py": [
        {
            "advisory": "web.py  0.39 fixes a security issue in the form module and the db module.",
            "cve": null,
            "id": "pyup.io-35782",
            "specs": [
                "<0.39"
            ],
            "v": "<0.39"
        }
    ],
    "web3": [
        {
            "advisory": "web3 4.7.0  upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.",
            "cve": null,
            "id": "pyup.io-36480",
            "specs": [
                "<4.7.0"
            ],
            "v": "<4.7.0"
        }
    ],
    "webargs": [
        {
            "advisory": "webargs 5.1.3 fixes race condition between parallel requests when the cache is used: `CVE-2019-9710`",
            "cve": null,
            "id": "pyup.io-36963",
            "specs": [
                "<5.1.3"
            ],
            "v": "<5.1.3"
        },
        {
            "advisory": "Flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. See: CVE-2020-7965.",
            "cve": "CVE-2020-7965",
            "id": "pyup.io-37685",
            "specs": [
                ">=5.0,<=5.5.2"
            ],
            "v": ">=5.0,<=5.5.2"
        },
        {
            "advisory": "Flaskparser.py in Webargs 6.0.0b1 through 6.0.0b4 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. See: CVE-2020-7965.",
            "cve": "CVE-2020-7965",
            "id": "pyup.io-37684",
            "specs": [
                ">=6.0.0b1,<=6.0.0b4"
            ],
            "v": ">=6.0.0b1,<=6.0.0b4"
        }
    ],
    "webp": [
        {
            "advisory": "Webp 1.0.1 adds further security related hardening in libwebp & libwebpmux.",
            "cve": null,
            "id": "pyup.io-36726",
            "specs": [
                "<0.1.2"
            ],
            "v": "<0.1.2"
        }
    ],
    "websockets": [
        {
            "advisory": "websockets 5.0 fixes a denial of service by memory exhaustion vulnerability.\r\n\r\n**Version 5.0 adds a** ``user_info`` **field to the return value of**\r\n    :func:`~uri.parse_uri` **and** :class:`~uri.WebSocketURI` **.**\r\n\r\n    If you're unpacking :class:`~websockets.WebSocketURI` into four variables,\r\n    adjust your code to account for that fifth field.",
            "cve": null,
            "id": "pyup.io-36234",
            "specs": [
                "<5.0,>=4.0.0"
            ],
            "v": "<5.0,>=4.0.0"
        }
    ],
    "werkzeug": [
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.",
            "cve": "CVE-2016-10516",
            "id": "pyup.io-35661",
            "specs": [
                "<0.11.11"
            ],
            "v": "<0.11.11"
        },
        {
            "advisory": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
            "cve": null,
            "id": "pyup.io-26435",
            "specs": [
                "<0.12"
            ],
            "v": "<0.12"
        },
        {
            "advisory": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
            "cve": null,
            "id": "pyup.io-36967",
            "specs": [
                "<0.15.0"
            ],
            "v": "<0.15.0"
        },
        {
            "advisory": "Werkzeug 0.3.1 fixes a security problem with `werkzeug.contrib.SecureCookie`.",
            "cve": null,
            "id": "pyup.io-26428",
            "specs": [
                "<0.3.1"
            ],
            "v": "<0.3.1"
        },
        {
            "advisory": "Werkzeug 0.6.1 adds secure password hashing and checking functions.",
            "cve": null,
            "id": "pyup.io-26437",
            "specs": [
                "<0.6.1"
            ],
            "v": "<0.6.1"
        },
        {
            "advisory": "werkzeug before 0.8 allowed newlines in the header datastructure, allowing header injection attacks.",
            "cve": null,
            "id": "pyup.io-26175",
            "specs": [
                "<0.8"
            ],
            "v": "<0.8"
        },
        {
            "advisory": "Werkzeug 0.8.3 fixes an XSS problem with redirect targets coming from untrusted sources.",
            "cve": null,
            "id": "pyup.io-26427",
            "specs": [
                "<0.8.3"
            ],
            "v": "<0.8.3"
        },
        {
            "advisory": ":class:`~exceptions.BadRequestKeyError` in werkzeug 0.15.5 adds the ``KeyError`` message to the description if ``e.show_exception`` is set to ``True``. This is a more secure default than the original 0.15.0 behavior and makes it easier to control without losing information.",
            "cve": null,
            "id": "pyup.io-37276",
            "specs": [
                ">=0.15.0,<0.15.5"
            ],
            "v": ">=0.15.0,<0.15.5"
        }
    ],
    "whitenoise": [
        {
            "advisory": "whitenoise 4.1.3 change: Fix potential path traversal attack while running in autorefresh mode on\r\n   Windows",
            "cve": null,
            "id": "pyup.io-37275",
            "specs": [
                "<4.1.3"
            ],
            "v": "<4.1.3"
        }
    ],
    "will": [
        {
            "advisory": "will before 0.5.4 uses a insecure transitive dependency (bottle).",
            "cve": null,
            "id": "pyup.io-35046",
            "specs": [
                "<0.5.4"
            ],
            "v": "<0.5.4"
        }
    ],
    "wirepas-backend-client": [
        {
            "advisory": "Wirepas-backend-client 1.2.0rc2 hides credentials when printing to stdout - see https://github.com/wirepas/backend-client/issues/48",
            "cve": null,
            "id": "pyup.io-37522",
            "specs": [
                "<1.2.0rc2"
            ],
            "v": "<1.2.0rc2"
        }
    ],
    "wordops": [
        {
            "advisory": "The hsts flag in wordops before 1.16.0 on site was not secure with letsencrypt.",
            "cve": null,
            "id": "pyup.io-37541",
            "specs": [
                "<1.16.0"
            ],
            "v": "<1.16.0"
        },
        {
            "advisory": "Wordops 3.9.6 adds fail2ban with custom jails to secure WordPress & SSH.",
            "cve": null,
            "id": "pyup.io-37540",
            "specs": [
                "<3.9.6"
            ],
            "v": "<3.9.6"
        },
        {
            "advisory": "Wordops 3.9.7 secures the proftpd stack with TLS.",
            "cve": null,
            "id": "pyup.io-37539",
            "specs": [
                "<3.9.7"
            ],
            "v": "<3.9.7"
        },
        {
            "advisory": "Wordops 3.9.9 adds `wo secure --ssh` to harden ssh security.",
            "cve": null,
            "id": "pyup.io-37534",
            "specs": [
                "<3.9.9"
            ],
            "v": "<3.9.9"
        },
        {
            "advisory": "Wordops 3.9.9.1 improves the sshd_config template according to Mozilla Infosec guidelines.",
            "cve": null,
            "id": "pyup.io-37533",
            "specs": [
                "<3.9.9.1"
            ],
            "v": "<3.9.9.1"
        }
    ],
    "wpull": [
        {
            "advisory": "wpull before 0.1006.1 is leaking HTTP header fields when transitioning from HTTP to HTTPS.",
            "cve": null,
            "id": "pyup.io-26176",
            "specs": [
                "<0.1006.1"
            ],
            "v": "<0.1006.1"
        }
    ],
    "xdg": [
        {
            "advisory": "A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call. See: CVE-2019-12761.",
            "cve": "CVE-2019-12761",
            "id": "pyup.io-37203",
            "specs": [
                "<0.26"
            ],
            "v": "<0.26"
        },
        {
            "advisory": "Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.",
            "cve": "CVE-2014-1624",
            "id": "pyup.io-35521",
            "specs": [
                "<=0.25"
            ],
            "v": "<=0.25"
        }
    ],
    "xmlschema-acue": [
        {
            "advisory": "Xmlschema-acue 0.9.27:\r\n- Adds support for preventing XML attacks with the use of the *defusedxml* package (added *defuse* argument to schemas)\r\n- Fixes the group circularity (issue 58)\r\n- Fixes the billion laughs attacks using XSD groups expansion",
            "cve": null,
            "id": "pyup.io-37716",
            "specs": [
                "<0.9.27"
            ],
            "v": "<0.9.27"
        }
    ],
    "xtea3": [
        {
            "advisory": "xtea3 1.0.0 change: Removal of CBCMAC (security reasons)",
            "cve": null,
            "id": "pyup.io-37222",
            "specs": [
                "<1.0.0"
            ],
            "v": "<1.0.0"
        }
    ],
    "xuper": [
        {
            "advisory": "xuper 3.2.0 validates autogen tx to avoid fake transaction attack; Fix UTXO with negative frozen heigh could pass transaction check; Check the number of coinbase transactions in a block to avoid byzantine miner;",
            "cve": null,
            "id": "pyup.io-37718",
            "specs": [
                "<3.2.0"
            ],
            "v": "<3.2.0"
        }
    ],
    "yahoo-earnings-calendar": [
        {
            "advisory": "yahoo-earnings-calendar 0.4.0  - fix(security): upgrade requests (14)",
            "cve": null,
            "id": "pyup.io-36697",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        },
        {
            "advisory": "Yahoo-earnings-calendar 0.5.2 upgrades urllib3 to 1.24.2 for security reasons.",
            "cve": null,
            "id": "pyup.io-37079",
            "specs": [
                "<0.5.2"
            ],
            "v": "<0.5.2"
        }
    ],
    "yasha": [
        {
            "advisory": "yasha before 4.0 is parsing JSON without using the 'safe_load' function.",
            "cve": null,
            "id": "pyup.io-35004",
            "specs": [
                "<4.0"
            ],
            "v": "<4.0"
        }
    ],
    "yaybu": [
        {
            "advisory": "yaybu before 0.1.14 doesn't set file system permissions before content is written.",
            "cve": null,
            "id": "pyup.io-26177",
            "specs": [
                "<0.1.14"
            ],
            "v": "<0.1.14"
        }
    ],
    "yorm": [
        {
            "advisory": "yorm 1.6.1 updates `PyYAML` to `5.1` for security fixes.",
            "cve": null,
            "id": "pyup.io-36983",
            "specs": [
                "<1.6.1"
            ],
            "v": "<1.6.1"
        }
    ],
    "yubiauth": [
        {
            "advisory": "yubiauth before 0.2.3 is updating credentials in an insecure way.",
            "cve": null,
            "id": "pyup.io-26178",
            "specs": [
                "<0.2.3"
            ],
            "v": "<0.2.3"
        }
    ],
    "z3c.form": [
        {
            "advisory": "z3c.form before 2.4.2 has a security vulnerability in IBrowserRequest from IFormLayer. This prevents to mixin IBrowserRequest into non IBrowserRequest e.g. IJSONRPCRequest. This should be compatible since a browser request using z3c.form already provides IBrowserRequest and the IFormLayer is only a marker interface used as skin layer.",
            "cve": null,
            "id": "pyup.io-26179",
            "specs": [
                "<2.4.2"
            ],
            "v": "<2.4.2"
        }
    ],
    "zeep": [
        {
            "advisory": "zeep before 0.4.0 is using an insecure XML parser.",
            "cve": null,
            "id": "pyup.io-26180",
            "specs": [
                "<0.4.0"
            ],
            "v": "<0.4.0"
        }
    ],
    "zhmc-ansible-modules": [
        {
            "advisory": "zhmc-ansible-modules 0.6.0 updates the 'requests' package to 2.20.0 to fix CVE-2018-18074  vulnerability",
            "cve": null,
            "id": "pyup.io-36600",
            "specs": [
                "<0.6.0"
            ],
            "v": "<0.6.0"
        }
    ],
    "zhmcclient": [
        {
            "advisory": "zhmcclient 0.21.0 updates Requests package to 2.20.0 to fix CVE-2018-18074 vulnerability",
            "cve": "CVE-2018-18074",
            "id": "pyup.io-36601",
            "specs": [
                "<0.21.0"
            ],
            "v": "<0.21.0"
        }
    ],
    "ziirish": [
        {
            "advisory": "ziirish before 0.0.7.1 has some undisclosed security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-26181",
            "specs": [
                "<0.0.7.1"
            ],
            "v": "<0.0.7.1"
        },
        {
            "advisory": "ziirish before 0.1.0 has some undisclosed security vulnerabilities.",
            "cve": null,
            "id": "pyup.io-26182",
            "specs": [
                "<0.1.0"
            ],
            "v": "<0.1.0"
        },
        {
            "advisory": "ziirish before 0.3.0 doesn't restrict files that can be sent by the agent.",
            "cve": null,
            "id": "pyup.io-26183",
            "specs": [
                "<0.3.0"
            ],
            "v": "<0.3.0"
        }
    ],
    "zodb": [
        {
            "advisory": "Race condition in ZEO/StorageServer.py in Zope Object Database (ZODB) before 3.10.0 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.",
            "cve": "CVE-2010-3495",
            "id": "pyup.io-26184",
            "specs": [
                "<3.10.0"
            ],
            "v": "<3.10.0"
        },
        {
            "advisory": "Unspecified vulnerability in Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote attackers to execute arbitrary Python code via vectors involving the ZEO network protocol.",
            "cve": "CVE-2009-0668",
            "id": "pyup.io-33165",
            "specs": [
                "<3.8.2"
            ],
            "v": "<3.8.2"
        },
        {
            "advisory": "Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote attackers to bypass authentication via vectors involving the ZEO network protocol.",
            "cve": "CVE-2009-0669",
            "id": "pyup.io-33166",
            "specs": [
                "<3.8.2"
            ],
            "v": "<3.8.2"
        },
        {
            "advisory": "Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage-server functionality in Zope Object Database (ZODB) 3.8 before 3.8.3 and 3.9.x before 3.9.0c2, when certain ZEO database sharing and blob support are enabled, allows remote authenticated users to read or delete arbitrary files via unknown vectors.",
            "cve": "CVE-2009-2701",
            "id": "pyup.io-33167",
            "specs": [
                ">=3.9,<3.9.0c2",
                ">=3.8,<3.8.3"
            ],
            "v": ">=3.9,<3.9.0c2,>=3.8,<3.8.3"
        }
    ],
    "zope": [
        {
            "advisory": "Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors.  NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).",
            "cve": "CVE-2012-6661",
            "id": "pyup.io-26189",
            "specs": [
                "<2.13.19"
            ],
            "v": "<2.13.19"
        },
        {
            "advisory": "zope 3.9.0 fixes CVE-2009-2701 and CVE-2009-0668 and CVE-2009-0669",
            "cve": null,
            "id": "pyup.io-36590",
            "specs": [
                "<3.9.0"
            ],
            "v": "<3.9.0"
        },
        {
            "advisory": "CVE-2011-4924: Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104.",
            "cve": "CVE-2011-4924",
            "id": "pyup.io-37737",
            "specs": [
                ">=2.8,<2.8.12",
                ">=2.9,<2.9.12",
                ">=2.10,<2.10.11",
                ">=2.11,<2.11.6",
                ">=2.12,<2.12.3",
                ">=3.1.1,<=3.4.1"
            ],
            "v": ">=2.8,<2.8.12,>=2.9,<2.9.12,>=2.10,<2.10.11,>=2.11,<2.11.6,>=2.12,<2.12.3,>=3.1.1,<=3.4.1"
        }
    ],
    "zope.html": [
        {
            "advisory": "Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.",
            "cve": "CVE-2009-2265",
            "id": "pyup.io-26190",
            "specs": [
                "<1.2"
            ],
            "v": "<1.2"
        }
    ],
    "zope2": [
        {
            "advisory": "ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.",
            "cve": "CVE-2010-3198",
            "id": "pyup.io-26191",
            "specs": [
                "<2.11.7"
            ],
            "v": "<2.11.7"
        },
        {
            "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.",
            "cve": "CVE-2011-2528",
            "id": "pyup.io-26192",
            "specs": [
                "<2.12.19",
                ">=2.13,<2.13.8"
            ],
            "v": "<2.12.19,>=2.13,<2.13.8"
        },
        {
            "advisory": "The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 2.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.",
            "cve": "CVE-2012-5489",
            "id": "pyup.io-26193",
            "specs": [
                "<2.13.11",
                "<2.12.21"
            ],
            "v": "<2.13.11,<2.12.21"
        },
        {
            "advisory": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
            "cve": "CVE-2012-5486",
            "id": "pyup.io-33168",
            "specs": [
                "<2.13.19"
            ],
            "v": "<2.13.19"
        },
        {
            "advisory": "AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.",
            "cve": "CVE-2012-5507",
            "id": "pyup.io-33169",
            "specs": [
                "<2.13.19"
            ],
            "v": "<2.13.19"
        },
        {
            "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.",
            "cve": "CVE-2011-3587",
            "id": "pyup.io-26196",
            "specs": [
                "==2.13,==2.12"
            ],
            "v": "==2.13,==2.12"
        },
        {
            "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.",
            "cve": "CVE-2010-1104",
            "id": "pyup.io-26197",
            "specs": [
                ">=2.12,<2.12.3",
                ">=2.10,<2.10.11",
                ">=2.8,<2.8.12",
                ">=2.9,<2.9.12"
            ],
            "v": ">=2.12,<2.12.3,>=2.10,<2.10.11,>=2.8,<2.8.12,>=2.9,<2.9.12"
        }
    ],
    "zopeskel": [
        {
            "advisory": "zopeskel before <2.11 uses an insecure transitive dependency (Zope before 2.9.10).",
            "cve": null,
            "id": "pyup.io-26198",
            "specs": [
                "<2.11"
            ],
            "v": "<2.11"
        }
    ],
    "zsl": [
        {
            "advisory": "zsl 0.22.0 upgrade to newest Flask and removes vulnerable dependencies",
            "cve": null,
            "id": "pyup.io-37856",
            "specs": [
                "<0.22.0"
            ],
            "v": "<0.22.0"
        }
    ],
    "zulip": [
        {
            "advisory": "Zulip 1.5.2:\r\n- CVE-2017-0896: Restricting inviting new users to admins was broken.\r\n- CVE-2015-8861: Insecure old version of handlebars templating engine.",
            "cve": "CVE-2017-0896,CVE-2015-8861",
            "id": "pyup.io-35007",
            "specs": [
                "<1.5.2"
            ],
            "v": "<1.5.2"
        },
        {
            "advisory": "Zulip 1.6.0 adds security hardening before serving uploaded files. It also refactors various endpoints to use a single code path for security hardening.",
            "cve": null,
            "id": "pyup.io-35006",
            "specs": [
                "<1.6.0"
            ],
            "v": "<1.6.0"
        },
        {
            "advisory": "Zulip 1.7.0 adds a new \"incoming webhook\" bot type, limited to only sending messages into Zulip, for better security.",
            "cve": null,
            "id": "pyup.io-35078",
            "specs": [
                "<1.7.0"
            ],
            "v": "<1.7.0"
        },
        {
            "advisory": "Zulip 1.7.1 is a security release, with a handful of cherry-picked changes since 1.7.0. It includes fixes for the upgrade process. Also, on a server with multiple realms, a vulnerability in the invitation system allowed an authorized user of one realm to create an account on any other realm. See CVE-2017-0910.",
            "cve": "CVE-2017-0910",
            "id": "pyup.io-35077",
            "specs": [
                "<1.7.1"
            ],
            "v": "<1.7.1"
        },
        {
            "advisory": "Zulip 1.7.2 is a security release, with a handful of cherry-picked changes since 1.7.1.\r\n- CVE-2018-9986: Fix XSS issues with frontend markdown processor.\r\n- CVE-2018-9987: Fix XSS issue with muting notifications.\r\n- CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\r\n- CVE-2018-9999: Fix XSS issue with user uploads.  The fix for this adds a Content-Security-Policy for the `LOCAL_UPLOADS_DIR` storage backend for user-uploaded files.",
            "cve": "CVE-2018-9986,CVE-2018-9987,CVE-2018-9990,CVE-2018-9999",
            "id": "pyup.io-36168",
            "specs": [
                "<1.7.2"
            ],
            "v": "<1.7.2"
        },
        {
            "advisory": "Zulip 1.8.0 includes several important security fixes since 1.7.0, which were released already in 1.7.1 and 1.7.2.\r\n- The security model for private streams has changed.  Now organization administrators can remove users, edit descriptions, and rename private streams they are not subscribed to.  See Zulip's security model documentation for details.\r\n- On Xenial, the local uploads backend now does the same security checks that the S3 backend did before serving files to users. Ubuntu Trusty's version of nginx is too old to support this and so the legacy model is the default; we recommend upgrading.",
            "cve": null,
            "id": "pyup.io-36187",
            "specs": [
                "<1.8.0"
            ],
            "v": "<1.8.0"
        },
        {
            "advisory": "Zulip 2.0.5 fixes DoS vulnerability in Markdown LINK_RE (CVE-2019-16215). It also fixes MIME type validation (CVE-2019-16216).",
            "cve": "CVE-2019-16215,CVE-2019-16216",
            "id": "pyup.io-38117",
            "specs": [
                "<2.0.5"
            ],
            "v": "<2.0.5"
        },
        {
            "advisory": "Zulip 2.0.7 inlcudes a fix for insecure account creation via social authentication - see CVE-2019-18933. It also adds backend enforcement of zxcvbn password strength checks.",
            "cve": "CVE-2019-18933",
            "id": "pyup.io-38116",
            "specs": [
                "<2.0.7"
            ],
            "v": "<2.0.7"
        },
        {
            "advisory": "Zulip 2.0.8 includes a fix for CVE-2019-19775: Close open redirect in thumbnail view.",
            "cve": "CVE-2019-19775",
            "id": "pyup.io-36735",
            "specs": [
                "<2.0.8"
            ],
            "v": "<2.0.8"
        },
        {
            "advisory": "Zulip 2.1.0 improves default nginx TLS settings for stronger security.",
            "cve": null,
            "id": "pyup.io-38115",
            "specs": [
                "<2.1.0"
            ],
            "v": "<2.1.0"
        },
        {
            "advisory": "Zulip 2.1.2 includes a corrected fix for CVE-2019-19775 (the original fix was affected by an unfixed security bug in Python's urllib, CVE-2015-2104). It also adds authentication for redis and memcached even in configurations where these are running on localhost, for add hardening against attacks from malicious processes running on the Zulip server.",
            "cve": "CVE-2019-19775,CVE-2015-2104",
            "id": "pyup.io-38114",
            "specs": [
                "<2.1.2"
            ],
            "v": "<2.1.2"
        }
    ],
    "zwiki": [
        {
            "advisory": "zwiki before <0.37 has a cross-site scripting vulnerability in standard error messages.",
            "cve": null,
            "id": "pyup.io-26199",
            "specs": [
                "<0.37"
            ],
            "v": "<0.37"
        },
        {
            "advisory": "zwiki before <0.59 has a vulnerability in a comment form.",
            "cve": null,
            "id": "pyup.io-26200",
            "specs": [
                "<0.59"
            ],
            "v": "<0.59"
        }
    ]
}