Vulnerability	Vulnerable Version
C Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') piccolo is an A fast, user friendly ORM and query builder which supports asyncio. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the handling of named transaction `savepoints` in all database implementations, when a provided input is passed directly to `connection.execute(...)` via f-strings. How to fix Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')? Upgrade `piccolo` to version 1.1.1 or higher.	[,1.1.1)
M Information Exposure piccolo is an A fast, user friendly ORM and query builder which supports asyncio. Affected versions of this package are vulnerable to Information Exposure via the `BaseUser.login` function. An attacker can generate a list of valid users on the platform by exploiting the information leakage. Note: This can potentially lead to a password spray attack and attempted takeover of user accounts. This is only exploitable if the platform does not enforce strong passwords. How to fix Information Exposure? Upgrade `piccolo` to version 0.121.0 or higher.	[,0.121.0)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

piccolo is an A fast, user friendly ORM and query builder which supports asyncio.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the handling of named transaction savepoints in all database implementations, when a provided input is passed directly to connection.execute(...) via f-strings.

How to fix Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')?

Upgrade piccolo to version 1.1.1 or higher.

[,1.1.1)

Information Exposure

piccolo is an A fast, user friendly ORM and query builder which supports asyncio.

Affected versions of this package are vulnerable to Information Exposure via the BaseUser.login function. An attacker can generate a list of valid users on the platform by exploiting the information leakage.

Note: This can potentially lead to a password spray attack and attempted takeover of user accounts. This is only exploitable if the platform does not enforce strong passwords.

How to fix Information Exposure?

Upgrade piccolo to version 0.121.0 or higher.

[,0.121.0)

Go back to all versions of this package