Описание
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
A reflected cross-site scripting (XSS) vulnerability was found in Python XML-RPC server. The server_title field is not sufficiently sanitized allowing malicious JavaScript to be injected. Successful exploitation would allow a remote attacker to execute JavaScript code within the context of the affected user.
Отчет
This flaw does not affect the versions of python27-python as shipped with Red Hat Software Collections 3 as they already include the fix. This flaw does not affect the versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 as they are "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python | Out of support scope | ||
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Software Collections | python27-python | Not affected | ||
| Red Hat Enterprise Linux 7 | python3 | Fixed | RHSA-2020:3888 | 29.09.2020 |
| Red Hat Enterprise Linux 7 | python | Fixed | RHSA-2020:3911 | 29.09.2020 |
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2020:1605 | 28.04.2020 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2020:4433 | 04.11.2020 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2020:4433 | 04.11.2020 |
| Red Hat OpenShift Do | openshiftdo/odo-init-image-rhel7 | Fixed | RHSA-2021:0949 | 22.03.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
The documentation XML-RPC server in Python through 2.7.16, 3.x through ...
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
EPSS
6.1 Medium
CVSS3