Web2py

web2py

Vendor: Web2py • 13 CVEs

CVEs (13)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-45158 1Web2py 1Web2py Nov 21, 2024 Oct 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitra...Show more An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.Show less
CVE-2023-22432 1Web2py 1Web2py Mar 7, 2025 Mar 6, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a...Show more Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.Show less
CVE-2022-33146 1Web2py 1Web2py Nov 21, 2024 Jun 27, 2022 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
CVE-2016-3957 1Web2py 1Web2py Nov 21, 2024 Feb 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowle...Show more The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.Show less
CVE-2016-3954 1Web2py 1Web2py Nov 21, 2024 Feb 6, 2018 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary cod...Show more web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.Show less
CVE-2016-3953 1Web2py 1Web2py Nov 21, 2024 Feb 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
CVE-2016-3952 1Web2py 1Web2py Nov 21, 2024 Feb 6, 2018 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by re...Show more web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.Show less
CVE-2015-6961 1Web2py 1Web2py May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
CVE-2016-10321 1Web2py 1Web2py May 13, 2026 Apr 10, 2017 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
CVE-2016-4808 1Web2py 1Web2py May 6, 2026 Jan 11, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to...Show more Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.Show less
CVE-2016-4807 1Web2py 1Web2py May 6, 2026 Jan 11, 2017 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
CVE-2016-4806 1Web2py 1Web2py May 6, 2026 Jan 11, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
CVE-2013-2311 1Web2py 1Web2py Apr 29, 2026 May 22, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.