Web2py » Web2py : Security Vulnerabilities
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2016-10321 |
254 |
|
|
2017-04-10 |
2019-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. |
|
2 |
CVE-2016-4808 |
352 |
|
CSRF |
2017-01-11 |
2017-01-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim. |
|
3 |
CVE-2016-4807 |
79 |
|
XSS |
2017-01-11 |
2017-01-11 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin). |
|
4 |
CVE-2016-4806 |
200 |
|
+Info File Inclusion |
2017-01-11 |
2017-01-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files. |
|
5 |
CVE-2016-3957 |
502 |
|
Exec Code |
2018-02-06 |
2019-06-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. |
|
6 |
CVE-2016-3954 |
200 |
|
Exec Code +Info |
2018-02-06 |
2019-06-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957. |
|
7 |
CVE-2016-3953 |
798 |
|
Exec Code |
2018-02-06 |
2019-06-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. |
|
8 |
CVE-2016-3952 |
255 |
|
|
2018-02-06 |
2019-06-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access. |
|
9 |
CVE-2015-6961 |
601 |
|
|
2017-10-18 |
2017-10-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout. |
|
10 |
CVE-2013-2311 |
79 |
|
XSS |
2013-05-22 |
2013-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Total number of vulnerabilities :
10
Page :
1
(This Page)
