Vulnerability CVE-2016-4806


Published: 2017-01-11   Modified: 2017-01-19

Description:
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Web2py 2.14.5 CSRF / XSS / Local File Inclusion
Narendra Bhati
17.05.2016

Vendor: Web2py
Product: Web2py 
Version: 2.14.5;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html
https://www.exploit-db.com/exploits/39821/

Related CVE
CVE-2016-10321
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
CVE-2016-4807
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
CVE-2016-4808
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed applica...
CVE-2013-2311
Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Copyright 2017, cxsecurity.com

 

Back to Top