Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | 1.90.6 |
| web2py | web2py | 1.96.4 |
| web2py | web2py | * |
| web2py | web2py | 1.91.5 |
| web2py | web2py | 1.96.1 |
| web2py | web2py | 1.30.0 |
| web2py | web2py | 1.56.4 |
| web2py | web2py | 1.69.1 |
| web2py | web2py | 1.74.8 |
| web2py | web2py | 1.46.0 |
| web2py | web2py | 1.29.0 |
| web2py | web2py | 1.51.0 |
| web2py | web2py | 1.20.0 |
| web2py | web2py | 1.67.1 |
| web2py | web2py | 1.93.2 |
| web2py | web2py | 1.92.1 |
| web2py | web2py | 1.94.2 |
| web2py | web2py | 1.76.2 |
| web2py | web2py | 1.75.4 |
| web2py | web2py | 1.77.1 |
| web2py | web2py | 1.65.3-10 |
| web2py | web2py | 1.80.1 |
| web2py | web2py | 1.89.5 |
| web2py | web2py | 1.43.0 |
| web2py | web2py | 1.65.13 |
| web2py | web2py | 1.64.4 |
| web2py | web2py | 2.0.1-11 |
| web2py | web2py | 1.16.0 |
| web2py | web2py | 1.86.1 |
| web2py | web2py | 1.56.2 |
| web2py | web2py | 1.61.0 |
| web2py | web2py | 1.98.2 |
| web2py | web2py | 1.23.0 |
| web2py | web2py | 1.50.0 |
| web2py | web2py | 1.97.1 |
| web2py | web2py | 1.76.3 |
| web2py | web2py | 1.81.2 |
| web2py | web2py | 1.53.0 |
| web2py | web2py | 1.56.1 |
| web2py | web2py | 1.49.0 |
| web2py | web2py | 1.74.9 |
| web2py | web2py | 1.94.4 |
| web2py | web2py | 1.17.0 |
| web2py | web2py | 1.66.0 |
| web2py | web2py | 1.81.4 |
| web2py | web2py | 1.67.0 |
| web2py | web2py | 1.99.4 |
| web2py | web2py | 1.48.0 |
| web2py | web2py | 1.73.1 |
| web2py | web2py | 1.81.3 |
| web2py | web2py | 1.63.0 |
| web2py | web2py | 1.75.3 |
| web2py | web2py | 1.52.0 |
| web2py | web2py | 1.56.0 |
| web2py | web2py | 1.75.1 |
| web2py | web2py | 1.91.6 |
| web2py | web2py | 1.65.12 |
| web2py | web2py | 1.63.3 |
| web2py | web2py | 1.79.2 |
| web2py | web2py | 1.65.2 |
| web2py | web2py | 1.45.0 |
| web2py | web2py | 1.75.5 |
| web2py | web2py | 1.87.1 |
| web2py | web2py | 1.31.0 |
| web2py | web2py | 1.57.0 |
| web2py | web2py | 1.74.7 |
| web2py | web2py | 1.72.1 |
| web2py | web2py | 1.76.4 |
| web2py | web2py | 1.24.0 |
| web2py | web2py | 1.74.5 |
| web2py | web2py | 1.99.7 |
| web2py | web2py | 1.87.3 |
| web2py | web2py | 1.83.1 |
| web2py | web2py | 1.75.2 |
| web2py | web2py | 1.83.2 |
| web2py | web2py | 1.19.0 |
| web2py | web2py | 1.91.2 |
| web2py | web2py | 1.22.0 |
| web2py | web2py | 1.86.3 |
| web2py | web2py | 1.99.2 |
| web2py | web2py | 1.94.1 |
| web2py | web2py | 1.98.1 |
| web2py | web2py | 1.62.0 |
| web2py | web2py | 1.76.5 |
| web2py | web2py | 1.94.3 |
| web2py | web2py | 1.71.1 |
| web2py | web2py | 1.87.2 |
| web2py | web2py | 1.91.1 |
| web2py | web2py | 1.68.1 |
| web2py | web2py | 1.93.1 |
| web2py | web2py | 1.42.0 |
| web2py | web2py | 1.96.2 |
| web2py | web2py | 1.63.5 |
| web2py | web2py | 1.68.2 |
| web2py | web2py | 1.77.2 |
| web2py | web2py | 1.56.3 |
| web2py | web2py | 1.79.1 |
| web2py | web2py | 1.74.1 |
| web2py | web2py | 1.81.1 |
| web2py | web2py | 1.63.4 |
| web2py | web2py | 1.65.11 |
| web2py | web2py | 1.65.0 |
| web2py | web2py | 1.84.1 |
| web2py | web2py | 1.78.3 |
| web2py | web2py | 1.55.0 |
| web2py | web2py | 1.76.1 |
| web2py | web2py | 1.40.0 |
| web2py | web2py | 1.59.0 |
| web2py | web2py | 1.90.1 |
| web2py | web2py | 1.63.2 |
| web2py | web2py | 1.47.0 |
| web2py | web2py | 1.41.0 |
| web2py | web2py | 1.58.0 |
| web2py | web2py | 1.84.4 |
| web2py | web2py | 1.18.0 |
| web2py | web2py | 1.28.0 |
| web2py | web2py | 1.78.1 |
| web2py | web2py | 1.70.1 |
| web2py | web2py | 1.99.1 |
| web2py | web2py | 1.26.0 |
| web2py | web2py | 1.60.0 |
| web2py | web2py | 1.85.1 |
| web2py | web2py | 1.64.0 |
| web2py | web2py | 1.64.3 |
| web2py | web2py | 1.88.1 |
| web2py | web2py | 1.99.3 |
| web2py | web2py | 2.1.0 |
| web2py | web2py | 1.21.0 |
| web2py | web2py | 1.27.0 |
| web2py | web2py | 1.74.2-4 |
| web2py | web2py | 1.72.3 |
| web2py | web2py | 1.74.6 |
| web2py | web2py | 1.99.5 |
| web2py | web2py | 1.63.1 |
| web2py | web2py | 1.67.2 |
| web2py | web2py | 1.81.5 |
| web2py | web2py | 1.90.4 |
| web2py | web2py | 1.95.1 |
| web2py | web2py | 1.64.2 |
| web2py | web2py | 1.94.5 |
| web2py | web2py | 1.82.1 |
| web2py | web2py | 1.90.5 |
| web2py | web2py | 1.85.3 |
| web2py | web2py | 1.25.0 |
| web2py | web2py | 1.44.0 |
| web2py | web2py | 1.90.2 |
| web2py | web2py | 1.65.1 |
| web2py | web2py | 1.54.0 |
| web2py | web2py | 1.94.6 |
| web2py | web2py | 1.77.3 |
| web2py | web2py | 1.89.1 |
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | 2.9.11 |
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.
CVSS 2.0
Severity: LOW
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| web2py | web2py | * |