An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
CVSS Score
9.8
EPSS Score
0.15
Published
2023-10-16
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
CVSS Score
6.1
EPSS Score
0.513
Published
2023-03-06
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
CVSS Score
6.1
EPSS Score
0.012
Published
2022-06-27
web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.
CVSS Score
7.8
EPSS Score
0.005
Published
2018-02-06
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
CVSS Score
9.8
EPSS Score
0.018
Published
2018-02-06
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.
CVSS Score
5.5
EPSS Score
0.005
Published
2018-02-06
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
CVSS Score
9.8
EPSS Score
0.15
Published
2018-02-06
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
CVSS Score
9.8
EPSS Score
0.005
Published
2017-04-10
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
CVSS Score
7.5
EPSS Score
0.087
Published
2017-01-11
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
CVSS Score
4.8
EPSS Score
0.002
Published
2017-01-11
Page 1