Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:web2py:web2py:2.9.8:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-45158 |
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product. Published: October 16, 2023; 4:15:09 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-22432 |
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. Published: March 05, 2023; 7:15:10 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-33146 |
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. Published: June 26, 2022; 9:15:07 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2016-3957 |
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. Published: February 06, 2018; 1:29:00 PM -0500 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-3954 |
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957. Published: February 06, 2018; 1:29:00 PM -0500 |
V4.0:(not available) V3.0: 5.5 MEDIUM V2.0: 2.1 LOW |
CVE-2016-3953 |
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. Published: February 06, 2018; 1:29:00 PM -0500 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-3952 |
web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access. Published: February 06, 2018; 1:29:00 PM -0500 |
V4.0:(not available) V3.0: 7.8 HIGH V2.0: 2.1 LOW |
CVE-2016-10321 |
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. Published: April 10, 2017; 10:59:00 AM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 5.0 MEDIUM |
CVE-2016-4808 |
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim. Published: January 11, 2017; 11:59:00 AM -0500 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2016-4807 |
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin). Published: January 11, 2017; 11:59:00 AM -0500 |
V4.0:(not available) V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2016-4806 |
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files. Published: January 11, 2017; 11:59:00 AM -0500 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |