Vulnerability Details CVE-2023-34457
MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type="file" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.017
EPSS Ranking 81.7%
CVSS Severity
CVSS v3 Score 5.9
References
- https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e
- https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0
- https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4
- https://security.netapp.com/advisory/ntap-20230803-0005/
- https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e
- https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0
- https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4
- https://security.netapp.com/advisory/ntap-20230803-0005/
Products affected by CVE-2023-34457
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.0.2
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.0.3
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.1.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.1.1
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.1.2
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.2.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.2.1
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.2.2
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.3.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.3.1
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.4.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.5.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.6.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.7.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.8.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:0.9.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:1.0.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:1.1.0
-
cpe:2.3:a:mechanicalsoup_project:mechanicalsoup:1.2.0