Summary
| Detail | |||
|---|---|---|---|
| Vendor | web2py | First view | 2013-05-22 |
| Product | web2py | Last view | 2023-03-06 |
| Version | 1.83.2 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:web2py:web2py | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 6.1 | 2023-03-06 | CVE-2023-22432 | Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. |
| 6.1 | 2022-06-27 | CVE-2022-33146 | Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. |
| 9.8 | 2018-02-06 | CVE-2016-3957 | The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. |
| 5.5 | 2018-02-06 | CVE-2016-3954 | web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957. |
| 9.8 | 2018-02-06 | CVE-2016-3953 | The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. |
| 7.8 | 2018-02-06 | CVE-2016-3952 | web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access. |
| 9.8 | 2017-04-10 | CVE-2016-10321 | web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. |
| 8.8 | 2017-01-11 | CVE-2016-4808 | Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim. |
| 4.8 | 2017-01-11 | CVE-2016-4807 | Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin). |
| 7.5 | 2017-01-11 | CVE-2016-4806 | Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files. |
| 4.3 | 2013-05-22 | CVE-2013-2311 | Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 18% (2) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| 18% (2) | CWE-200 | Information Exposure |
| 18% (2) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 9% (1) | CWE-798 | Use of Hard-coded Credentials |
| 9% (1) | CWE-502 | Deserialization of Untrusted Data |
| 9% (1) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 9% (1) | CWE-255 | Credentials Management |
| 9% (1) | CWE-254 | Security Features |
