PyPi: Lektor

CVE-2024-28335

Safety vulnerability ID: 71925

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 27, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Lektor affected versions does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.

Affected package

lektor

Latest version: 3.3.12

A static content management system.

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

https://github.com/advisories/GHSA-wv28-7fpw-fj49
https://github.com/lektor/lektor/commit/7393d87bd354e43120937789956175064e4610a0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28335

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application