Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/docassemble@0.3.9 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | docassemble |
|---|
| Version | 0.3.9 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.2.65 |
|---|
| Latest_non_vulnerable_version | 1.2.65 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-zkc9-h3cp-5qfz |
| vulnerability_id |
VCID-zkc9-h3cp-5qfz |
| summary |
Unauthorized access through URL manipulation
### Impact
The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation.
### Patches
The vulnerability has been patched in version 1.2.65 of the `master` branch, version 1.1.113 of the 1.1.x series, and version 1.0.12 of the `stable` branch. The Docker image on docker.io has been patched.
### Workarounds
If upgrading is not possible, manually apply the changes of https://github.com/jhpyle/docassemble/commit/e3dbf6ce054b3c0310996f0657289f5eed0a73fe and restart the server (e.g., by pressing Save on the Configuration screen).
### Credit
The vulnerability was discovered by Jim Platania of Seiso LLC (@jimmio).
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues)
* Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-ohrn8y9z-_Fb3RAl~JPBU6Km7odBPfQ)
* Email us at [jhpyle@gmail.com](mailto:jhpyle@gmail.com) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-qrmm-w4v4-q7f8, GMS-2021-9
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zkc9-h3cp-5qfz |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/docassemble@0.3.9 |
|---|