Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
33 vulnerabilities found for web2py by web2py
CVE-2026-25198 (GCVE-0-2026-25198)
Vulnerability from cvelistv5 – Published: 2026-02-05 07:38 – Updated: 2026-02-05 15:05
VLAI
Summary
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL redirection to untrusted site ('Open Redirect')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:05:09.512715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:05:15.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "URL redirection to untrusted site (\u0027Open Redirect\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T07:38:31.763Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df"
},
{
"url": "https://github.com/web2py/web2py/releases"
},
{
"url": "https://web2py.com/"
},
{
"url": "https://jvn.jp/en/jp/JVN46925341/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-25198",
"datePublished": "2026-02-05T07:38:31.763Z",
"dateReserved": "2026-01-30T02:36:15.737Z",
"dateUpdated": "2026-02-05T15:05:15.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-45158 (GCVE-0-2023-45158)
Vulnerability from cvelistv5 – Published: 2023-10-16 07:53 – Updated: 2024-09-18 14:02
VLAI
Summary
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- OS command injection
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/init/default/download"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN80476432/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:02:01.283678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:02:11.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "2.24.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OS command injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T07:53:52.134Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://web2py.com/"
},
{
"url": "http://web2py.com/init/default/download"
},
{
"url": "https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3"
},
{
"url": "https://jvn.jp/en/jp/JVN80476432/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45158",
"datePublished": "2023-10-16T07:53:52.134Z",
"dateReserved": "2023-10-04T23:39:17.361Z",
"dateUpdated": "2024-09-18T14:02:11.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22432 (GCVE-0-2023-22432)
Vulnerability from cvelistv5 – Published: 2023-03-05 00:00 – Updated: 2025-03-07 21:45
VLAI
Summary
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Open Redirect
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/init/default/download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN78253670/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T21:44:47.079414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T21:45:54.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "versions prior to 2.23.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://web2py.com/"
},
{
"url": "http://web2py.com/init/default/download"
},
{
"url": "https://jvn.jp/en/jp/JVN78253670/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22432",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2022-12-28T00:00:00.000Z",
"dateUpdated": "2025-03-07T21:45:54.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33146 (GCVE-0-2022-33146)
Vulnerability from cvelistv5 – Published: 2022-06-27 00:20 – Updated: 2024-08-03 08:01
VLAI
Summary
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
Severity
No CVSS data available.
CWE
- Open Redirect
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://web2py.com/ | x_refsource_MISC |
| https://github.com/web2py/web2py/commit/d9805606f… | x_refsource_MISC |
| https://github.com/web2py/web2py/commit/a181b855a… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN02158640/index.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:20.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "versions prior to 2.22.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T00:20:17.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-33146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "web2py",
"version": {
"version_data": [
{
"version_value": "versions prior to 2.22.5"
}
]
}
}
]
},
"vendor_name": "web2py"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://web2py.com/",
"refsource": "MISC",
"url": "http://web2py.com/"
},
{
"name": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"name": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"name": "https://jvn.jp/en/jp/JVN02158640/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-33146",
"datePublished": "2022-06-27T00:20:17.000Z",
"dateReserved": "2022-06-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T08:01:20.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3957 (GCVE-0-2016-3957)
Vulnerability from cvelistv5 – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://github.com/web2py/web2py/blob/R-2.14.1/gl… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3957",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3954 (GCVE-0-2016-3954)
Vulnerability from cvelistv5 – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3954",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3954",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3952 (GCVE-0-2016-3952)
Vulnerability from cvelistv5 – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/web2py/web2py/commit/9706d125b… | x_refsource_CONFIRM |
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40"
},
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3952",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3953 (GCVE-0-2016-3953)
Vulnerability from cvelistv5 – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://github.com/web2py/web2py/blob/R-2.14.1/ap… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3953",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3953",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6961 (GCVE-0-2015-6961)
Vulnerability from cvelistv5 – Published: 2017-10-18 20:00 – Updated: 2024-08-06 07:36
VLAI
Summary
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/web2py/web2py/commit/e31a099cb… | x_refsource_CONFIRM |
| https://github.com/web2py/web2py/issues/731 | x_refsource_CONFIRM |
Date Public
2015-01-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:36:34.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/issues/731"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-18T19:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/issues/731"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
},
{
"name": "https://github.com/web2py/web2py/issues/731",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/issues/731"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6961",
"datePublished": "2017-10-18T20:00:00.000Z",
"dateReserved": "2015-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:36:34.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10321 (GCVE-0-2016-10321)
Vulnerability from cvelistv5 – Published: 2017-04-10 14:00 – Updated: 2024-08-06 03:14
VLAI
Summary
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/web2py/web2py/issues/1585#issu… | x_refsource_CONFIRM |
| https://github.com/web2py/web2py/commit/944d8bd8f… | x_refsource_CONFIRM |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2017-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:43.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10321",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919"
},
{
"name": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10321",
"datePublished": "2017-04-10T14:00:00.000Z",
"dateReserved": "2017-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:14:43.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4806 (GCVE-0-2016-4806)
Vulnerability from cvelistv5 – Published: 2017-01-11 16:00 – Updated: 2024-08-06 00:39
VLAI
Summary
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/39821/ | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.com/files/137070/Web2p… | x_refsource_MISC |
Date Public
2016-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-11T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39821",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"name": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4806",
"datePublished": "2017-01-11T16:00:00.000Z",
"dateReserved": "2016-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:39:26.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4807 (GCVE-0-2016-4807)
Vulnerability from cvelistv5 – Published: 2017-01-11 16:00 – Updated: 2024-08-06 00:39
VLAI
Summary
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/39821/ | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.com/files/137070/Web2p… | x_refsource_MISC |
Date Public
2016-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-11T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39821",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"name": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4807",
"datePublished": "2017-01-11T16:00:00.000Z",
"dateReserved": "2016-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:39:26.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4808 (GCVE-0-2016-4808)
Vulnerability from cvelistv5 – Published: 2017-01-11 16:00 – Updated: 2024-08-06 00:39
VLAI
Summary
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/39821/ | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.com/files/137070/Web2p… | x_refsource_MISC |
Date Public
2016-04-02 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-04-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-11T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39821",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"name": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4808",
"datePublished": "2017-01-11T16:00:00.000Z",
"dateReserved": "2016-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:39:26.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-25198 (GCVE-0-2026-25198)
Vulnerability from nvd – Published: 2026-02-05 07:38 – Updated: 2026-02-05 15:05
VLAI
Summary
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL redirection to untrusted site ('Open Redirect')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:05:09.512715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:05:15.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "URL redirection to untrusted site (\u0027Open Redirect\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T07:38:31.763Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df"
},
{
"url": "https://github.com/web2py/web2py/releases"
},
{
"url": "https://web2py.com/"
},
{
"url": "https://jvn.jp/en/jp/JVN46925341/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-25198",
"datePublished": "2026-02-05T07:38:31.763Z",
"dateReserved": "2026-01-30T02:36:15.737Z",
"dateUpdated": "2026-02-05T15:05:15.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-45158 (GCVE-0-2023-45158)
Vulnerability from nvd – Published: 2023-10-16 07:53 – Updated: 2024-09-18 14:02
VLAI
Summary
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- OS command injection
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/init/default/download"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN80476432/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:02:01.283678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:02:11.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "2.24.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OS command injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T07:53:52.134Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://web2py.com/"
},
{
"url": "http://web2py.com/init/default/download"
},
{
"url": "https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3"
},
{
"url": "https://jvn.jp/en/jp/JVN80476432/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45158",
"datePublished": "2023-10-16T07:53:52.134Z",
"dateReserved": "2023-10-04T23:39:17.361Z",
"dateUpdated": "2024-09-18T14:02:11.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22432 (GCVE-0-2023-22432)
Vulnerability from nvd – Published: 2023-03-05 00:00 – Updated: 2025-03-07 21:45
VLAI
Summary
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Open Redirect
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/init/default/download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN78253670/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T21:44:47.079414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T21:45:54.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "versions prior to 2.23.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://web2py.com/"
},
{
"url": "http://web2py.com/init/default/download"
},
{
"url": "https://jvn.jp/en/jp/JVN78253670/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22432",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2022-12-28T00:00:00.000Z",
"dateUpdated": "2025-03-07T21:45:54.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33146 (GCVE-0-2022-33146)
Vulnerability from nvd – Published: 2022-06-27 00:20 – Updated: 2024-08-03 08:01
VLAI
Summary
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
Severity
No CVSS data available.
CWE
- Open Redirect
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://web2py.com/ | x_refsource_MISC |
| https://github.com/web2py/web2py/commit/d9805606f… | x_refsource_MISC |
| https://github.com/web2py/web2py/commit/a181b855a… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN02158640/index.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:20.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "versions prior to 2.22.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T00:20:17.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-33146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "web2py",
"version": {
"version_data": [
{
"version_value": "versions prior to 2.22.5"
}
]
}
}
]
},
"vendor_name": "web2py"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://web2py.com/",
"refsource": "MISC",
"url": "http://web2py.com/"
},
{
"name": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"name": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"name": "https://jvn.jp/en/jp/JVN02158640/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-33146",
"datePublished": "2022-06-27T00:20:17.000Z",
"dateReserved": "2022-06-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T08:01:20.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3957 (GCVE-0-2016-3957)
Vulnerability from nvd – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://github.com/web2py/web2py/blob/R-2.14.1/gl… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3957",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3954 (GCVE-0-2016-3954)
Vulnerability from nvd – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3954",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3954",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3952 (GCVE-0-2016-3952)
Vulnerability from nvd – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/web2py/web2py/commit/9706d125b… | x_refsource_CONFIRM |
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40"
},
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3952",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-3953 (GCVE-0-2016-3953)
Vulnerability from nvd – Published: 2018-02-06 18:00 – Updated: 2024-08-06 00:10
VLAI
Summary
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://devco.re/blog/2017/01/03/web2py-unseriali… | x_refsource_MISC |
| https://github.com/web2py/web2py/blob/R-2.14.1/ap… | x_refsource_MISC |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2016-03-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3953",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/",
"refsource": "MISC",
"url": "https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/"
},
{
"name": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3953",
"datePublished": "2018-02-06T18:00:00.000Z",
"dateReserved": "2016-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:10:31.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6961 (GCVE-0-2015-6961)
Vulnerability from nvd – Published: 2017-10-18 20:00 – Updated: 2024-08-06 07:36
VLAI
Summary
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/web2py/web2py/commit/e31a099cb… | x_refsource_CONFIRM |
| https://github.com/web2py/web2py/issues/731 | x_refsource_CONFIRM |
Date Public
2015-01-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:36:34.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/issues/731"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-18T19:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/issues/731"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
},
{
"name": "https://github.com/web2py/web2py/issues/731",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/issues/731"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6961",
"datePublished": "2017-10-18T20:00:00.000Z",
"dateReserved": "2015-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:36:34.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10321 (GCVE-0-2016-10321)
Vulnerability from nvd – Published: 2017-04-10 14:00 – Updated: 2024-08-06 03:14
VLAI
Summary
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/web2py/web2py/issues/1585#issu… | x_refsource_CONFIRM |
| https://github.com/web2py/web2py/commit/944d8bd8f… | x_refsource_CONFIRM |
| https://usn.ubuntu.com/4030-1/ | vendor-advisoryx_refsource_UBUNTU |
Date Public
2017-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:43.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T21:06:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426"
},
{
"name": "USN-4030-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4030-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10321",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/issues/1585#issuecomment-284317919"
},
{
"name": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426",
"refsource": "CONFIRM",
"url": "https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426"
},
{
"name": "USN-4030-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4030-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10321",
"datePublished": "2017-04-10T14:00:00.000Z",
"dateReserved": "2017-04-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:14:43.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4808 (GCVE-0-2016-4808)
Vulnerability from nvd – Published: 2017-01-11 16:00 – Updated: 2024-08-06 00:39
VLAI
Summary
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/39821/ | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.com/files/137070/Web2p… | x_refsource_MISC |
Date Public
2016-04-02 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-04-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-11T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39821",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"name": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4808",
"datePublished": "2017-01-11T16:00:00.000Z",
"dateReserved": "2016-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:39:26.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4807 (GCVE-0-2016-4807)
Vulnerability from nvd – Published: 2017-01-11 16:00 – Updated: 2024-08-06 00:39
VLAI
Summary
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/39821/ | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.com/files/137070/Web2p… | x_refsource_MISC |
Date Public
2016-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-11T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39821",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"name": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4807",
"datePublished": "2017-01-11T16:00:00.000Z",
"dateReserved": "2016-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:39:26.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4806 (GCVE-0-2016-4806)
Vulnerability from nvd – Published: 2017-01-11 16:00 – Updated: 2024-08-06 00:39
VLAI
Summary
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/39821/ | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.com/files/137070/Web2p… | x_refsource_MISC |
Date Public
2016-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:39:26.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-11T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39821",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39821",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39821/"
},
{
"name": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4806",
"datePublished": "2017-01-11T16:00:00.000Z",
"dateReserved": "2016-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:39:26.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2026-000021
Vulnerability from jvndb - Published: 2026-02-05 15:01 - Updated:2026-02-05 15:01
Severity
Summary
web2py vulnerable to open redirect
Details
web2py contains the following vulnerability.
- Open redirect (CWE-601) - CVE-2026-25198
References
| Type | URL | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000021.html",
"dc:date": "2026-02-05T15:01+09:00",
"dcterms:issued": "2026-02-05T15:01+09:00",
"dcterms:modified": "2026-02-05T15:01+09:00",
"description": "web2py contains the following vulnerability.\u003cul\u003e\u003cli\u003eOpen redirect (CWE-601) - CVE-2026-25198\u003c/li\u003e\u003c/ul\u003eShiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000021.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2026-000021",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN46925341/index.html",
"@id": "JVN#46925341",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-25198",
"@id": "CVE-2026-25198",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "web2py vulnerable to open redirect"
}
JVNDB-2023-000101
Vulnerability from jvndb - Published: 2023-10-16 16:11 - Updated:2024-05-22 17:58
Severity
Summary
web2py vulnerable to OS command injection
Details
web2py web application framework contains an OS command injection vulnerability (CWE-78).
Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000101.html",
"dc:date": "2024-05-22T17:58+09:00",
"dcterms:issued": "2023-10-16T16:11+09:00",
"dcterms:modified": "2024-05-22T17:58+09:00",
"description": "web2py web application framework contains an OS command injection vulnerability (CWE-78).\r\n\r\nMasashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000101.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "8.1",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000101",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN80476432/index.html",
"@id": "JVN#80476432",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45158",
"@id": "CVE-2023-45158",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45158",
"@id": "CVE-2023-45158",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "web2py vulnerable to OS command injection"
}
JVNDB-2023-000020
Vulnerability from jvndb - Published: 2023-02-28 15:00 - Updated:2024-06-07 16:31
Severity
Summary
web2py development tool vulnerable to open redirect
Details
The admin development tool included in the web2py source code contains an open redirect vulnerability (CWE-601).
According to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet.
Takuto Yoshikai of Aeye Security Lab reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000020.html",
"dc:date": "2024-06-07T16:31+09:00",
"dcterms:issued": "2023-02-28T15:00+09:00",
"dcterms:modified": "2024-06-07T16:31+09:00",
"description": "The admin development tool included in the web2py source code contains an open redirect vulnerability (CWE-601).\r\nAccording to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet.\r\n\r\nTakuto Yoshikai of Aeye Security Lab reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000020.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000020",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN78253670/index.html",
"@id": "JVN#78253670",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-22432",
"@id": "CVE-2023-22432",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22432",
"@id": "CVE-2023-22432",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "web2py development tool vulnerable to open redirect"
}
JVNDB-2022-000047
Vulnerability from jvndb - Published: 2022-06-23 14:21 - Updated:2024-06-18 10:48
Severity
Summary
web2py vulnerable to open redirect
Details
web2py contains an open redirect vulnerability (CWE-601).
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000047.html",
"dc:date": "2024-06-18T10:48+09:00",
"dcterms:issued": "2022-06-23T14:21+09:00",
"dcterms:modified": "2024-06-18T10:48+09:00",
"description": "web2py contains an open redirect vulnerability (CWE-601).\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000047.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000047",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN02158640/index.html",
"@id": "JVN#02158640",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-33146",
"@id": "CVE-2022-33146",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33146",
"@id": "CVE-2022-33146",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "web2py vulnerable to open redirect"
}