Vulnerability CVE-2016-4807


Published: 2017-01-11

Description:
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Web2py 2.14.5 CSRF / XSS / Local File Inclusion
Narendra Bhati
17.05.2016

Vendor: Web2py
Product: Web2py 
Version: 2.14.5;

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html
https://www.exploit-db.com/exploits/39821/

Related CVE
CVE-2016-10321
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
CVE-2016-4806
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
CVE-2016-4808
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed applica...
CVE-2013-2311
Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Copyright 2017, cxsecurity.com

 

Back to Top