CVE-2010-2477

Paste < 1.7.3.1 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.

References (9)

[Mailing List] http://groups.google.com/group/paste-users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1

[Mailing List] http://groups.google.com/group/pylons-discuss/msg/8c256dc076a408d8?dmode=source&output=gplain

[Patch] http://bitbucket.org/ianb/paste/changeset/fcae59df8b56

[Patch] http://marc.info/?l=oss-security&m=127785414818815&w=2

[Patch] http://marc.info/?l=oss-security&m=127792576822169&w=2

[Various Sources] http://pylonshq.com/articles/archives/2010/6/paste_174_released_addresses_xss_security_hole

[Third Party Advisory] http://secunia.com/advisories/42500

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/41160

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1026-1

Scores

EPSS 0.0052

EPSS Percentile 66.5%

Classification

CWE

CWE-79

Status published

Affected Products (24)

pythonpaste/paste < 1.7.3.1

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

pythonpaste/paste

... and 9 more

Timeline

Published Nov 06, 2010

Tracked Since Feb 18, 2026