Advisories for Pypi/Scancodeio package

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the license_details_view function. When unsuspecting users visit the …

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the docker_reference parameter. In the function scanpipe/pipes/fetch.py:fetch_docker_image the parameter docker_reference is user controllable. The docker_reference variable is then passed to the vulnerable function get_docker_image_platform. However, the get_docker_image_plaform function constructs a shell …