Vulnerability Description
MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type="file" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mechanicalsoup Project | Mechanicalsoup | < 1.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20Patch
- https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0Release Notes
- https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ExploitPatchVendor Advisory
- https://security.netapp.com/advisory/ntap-20230803-0005/
- https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20Patch
- https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0Release Notes
- https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ExploitPatchVendor Advisory
- https://security.netapp.com/advisory/ntap-20230803-0005/
FAQ
What is CVE-2023-34457?
CVE-2023-34457 is a vulnerability with a CVSS score of 5.9 (MEDIUM). MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a...
How severe is CVE-2023-34457?
CVE-2023-34457 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34457?
Check the references section above for vendor advisories and patch information. Affected products include: Mechanicalsoup Project Mechanicalsoup.