ALT-PU-2017-2355-1
Closed vulnerabilities
Published: 2017-03-18
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-7178
CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
Severity: HIGH (8.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
- http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
- http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
- http://seclists.org/fulldisclosure/2017/Mar/6
- http://seclists.org/fulldisclosure/2017/Mar/6
- DSA-3856
- DSA-3856
- 97041
- 97041
- https://bugs.debian.org/857903
- https://bugs.debian.org/857903
- GLSA-201703-06
- GLSA-201703-06
Published: 2017-05-17
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-9031
The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file.
Severity: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15
- http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd
- http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd
- DSA-3856
- DSA-3856
- 99099
- 99099
- https://bugs.debian.org/862611
- https://bugs.debian.org/862611