RSS   Vulnerabilities for 'Bottle'   RSS

2016-12-16
 
CVE-2016-9964

 

 
redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

 
2014-10-25
 
CVE-2014-3137

CWE-20
 

 
Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.

 


Copyright 2024, cxsecurity.com

 

Back to Top