Web2py

Web2py

13 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2023-45158

  • EPSS 15.03%
  • Veröffentlicht 16.10.2023 08:15:09
  • Zuletzt bearbeitet 21.11.2024 08:26:27

An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web serve...

6.1

CVE-2023-22432

  • EPSS 38.22%
  • Veröffentlicht 06.03.2023 00:15:10
  • Zuletzt bearbeitet 07.03.2025 22:15:36

Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.

6.1

CVE-2022-33146

  • EPSS 0.6%
  • Veröffentlicht 27.06.2022 01:15:07
  • Zuletzt bearbeitet 21.11.2024 07:07:35

Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

7.8

CVE-2016-3952

Exploit
  • EPSS 0.4%
  • Veröffentlicht 06.02.2018 18:29:00
  • Zuletzt bearbeitet 21.11.2024 02:51:01

web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain adminis...

9.8

CVE-2016-3953

Exploit
  • EPSS 1.51%
  • Veröffentlicht 06.02.2018 18:29:00
  • Zuletzt bearbeitet 21.11.2024 02:51:01

The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.

5.5

CVE-2016-3954

Exploit
  • EPSS 0.39%
  • Veröffentlicht 06.02.2018 18:29:00
  • Zuletzt bearbeitet 21.11.2024 02:51:01

web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.

9.8

CVE-2016-3957

Exploit
  • EPSS 12.74%
  • Veröffentlicht 06.02.2018 18:29:00
  • Zuletzt bearbeitet 21.11.2024 02:51:01

The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

6.1

CVE-2015-6961

  • EPSS 0.23%
  • Veröffentlicht 18.10.2017 20:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.

9.8

CVE-2016-10321

  • EPSS 0.47%
  • Veröffentlicht 10.04.2017 14:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.

7.5

CVE-2016-4806

Exploit
  • EPSS 6.72%
  • Veröffentlicht 11.01.2017 16:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.