6.1

CVE-2019-16935

Exploit

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Data is provided by the National Vulnerability Database (NVD)
PythonPython Version >= 2.7.0 < 2.7.17
PythonPython Version >= 3.0.0 < 3.5.8
PythonPython Version >= 3.6.0 < 3.6.10
PythonPython Version >= 3.7.0 < 3.7.5
DebianDebian Linux Version9.0
CanonicalUbuntu Linux Version12.04 SwEdition-
CanonicalUbuntu Linux Version14.04 SwEditionesm
CanonicalUbuntu Linux Version16.04 SwEditionesm
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version19.04
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.84% 0.74
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://usn.ubuntu.com/4151-1/
Third Party Advisory
https://usn.ubuntu.com/4151-2/
Third Party Advisory
https://bugs.python.org/issue38243
Vendor Advisory
Exploit
https://github.com/python/cpython/pull/16373
Third Party Advisory
Exploit