Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-16935

Опубликовано: 28 сент. 2019
Источник: debian
EPSS Низкий

Описание

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python3.8fixed3.8.0~rc1-1package
python3.7fixed3.7.5~rc1-1package
python3.7fixed3.7.3-2+deb10u1busterpackage
python3.5removedpackage
python3.4removedpackage
python3.4ignoredjessiepackage
python2.7fixed2.7.17~rc1-1package
python2.7fixed2.7.16-2+deb10u1busterpackage
python2.7ignoredjessiepackage
jythonfixed2.7.2+repack1-5package
jythonignoredbullseyepackage
jythonignoredbusterpackage
jythonignoredstretchpackage
jythonignoredjessiepackage
pypyfixed7.3.2+dfsg-1package
pypyignoredbusterpackage
pypyno-dsastretchpackage
pypypostponedjessiepackage

Примечания

  • https://bugs.python.org/issue38243

  • https://github.com/python/cpython/pull/16373

  • https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa (master)

  • https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 (3.8 branch)

  • https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687 (3.7 branch)

  • https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389 (3.6 branch)

  • https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89 (2.7 branch)

EPSS

Процентиль: 70%
0.00649
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2019-16935

CVSS3: 6.1
ubuntu
больше 5 лет назад

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

redhat логотип

CVE-2019-16935

CVSS3: 6.1
redhat
больше 5 лет назад

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

nvd логотип

CVE-2019-16935

CVSS3: 6.1
nvd
больше 5 лет назад

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

github логотип

GHSA-qhmv-wcg2-h8hx

CVSS3: 6.1
github
около 3 лет назад

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

oracle-oval логотип

ELSA-2020-3911

oracle-oval
больше 4 лет назад

ELSA-2020-3911: python security update (MODERATE)

EPSS

Процентиль: 70%
0.00649
Низкий