web2py@1.98.2 vulnerabilities

full-stack framework for rapid development and prototyping of secure database-driven web-based applications, written and programmable in Python.

Direct Vulnerabilities

Known vulnerabilities in the web2py package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Brute Force

Affected versions of this package are vulnerable to Brute Force due to not properly checking if a host is denied before verifying passwords.

How to fix Brute Force?

A fix was pushed into the master branch but not yet published.

[0,)
  • H
Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution via the hardcoded encryption key when calling the session.connect function.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure. A remote attacker can obtain the session_cookie_key value via a direct request to examples/simple_examples/status.
Note: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) which allows an attacker to trick a logged-in administrator into performing unwanted actions.

How to fix Cross-site Request Forgery (CSRF)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Open Redirect

Affected versions of this package are vulnerable to Open Redirect when a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL.

How to fix Open Redirect?

A fix was pushed into the master branch but not yet published.

[0,)
  • H
Open Redirect

Affected versions of this package are vulnerable to Open Redirect which allows a remote attacker to redirect a user to an arbitrary website and conduct a phishing attack by having a user access a specially crafted URL.

How to fix Open Redirect?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Open Redirect

web2py is open source full-stack enterprise framework for agile development of secure database-driven web-based applications, written and programmable in Python.

Affected versions of this package are vulnerable to Open Redirect in gluon/tools.py. It allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.

How to fix Open Redirect?

Upgrade web2py to version 2.12.1 or higher.

[,2.12.1)
  • C
Arbitrary Code Execution

web2py is an open source full-stack enterprise framework for agile development of secure database-driven web-based applications, written and programmable in Python.

Affected versions of this package are vulnerable to Arbitrary Code Execution. The secure_load function in gluon/utils.py uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

How to fix Arbitrary Code Execution?

Upgrade web2py to version 2.14.2 or higher.

[,2.14.2)
  • M
Cross-site Scripting (XSS)

web2py is a full-stack framework for rapid development and prototyping of secure database-driven web-based applications, written and programmable in Python.

Cross-site Scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[,2.3.2)