Vulnerabilites related to web2py - web2py
jvndb-2023-000020
Vulnerability from jvndb
Published
2023-02-28 15:00
Modified
2024-06-07 16:31
Severity ?
Summary
web2py development tool vulnerable to open redirect
Details
The admin development tool included in the web2py source code contains an open redirect vulnerability (CWE-601).
According to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet.
Takuto Yoshikai of Aeye Security Lab reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000020.html",
"dc:date": "2024-06-07T16:31+09:00",
"dcterms:issued": "2023-02-28T15:00+09:00",
"dcterms:modified": "2024-06-07T16:31+09:00",
"description": "The admin development tool included in the web2py source code contains an open redirect vulnerability (CWE-601).\r\nAccording to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet.\r\n\r\nTakuto Yoshikai of Aeye Security Lab reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000020.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000020",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN78253670/index.html",
"@id": "JVN#78253670",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-22432",
"@id": "CVE-2023-22432",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22432",
"@id": "CVE-2023-22432",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "web2py development tool vulnerable to open redirect"
}
jvndb-2022-000047
Vulnerability from jvndb
Published
2022-06-23 14:21
Modified
2024-06-18 10:48
Severity ?
Summary
web2py vulnerable to open redirect
Details
web2py contains an open redirect vulnerability (CWE-601).
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000047.html",
"dc:date": "2024-06-18T10:48+09:00",
"dcterms:issued": "2022-06-23T14:21+09:00",
"dcterms:modified": "2024-06-18T10:48+09:00",
"description": "web2py contains an open redirect vulnerability (CWE-601).\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000047.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000047",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN02158640/index.html",
"@id": "JVN#02158640",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-33146",
"@id": "CVE-2022-33146",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33146",
"@id": "CVE-2022-33146",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "web2py vulnerable to open redirect"
}
jvndb-2023-000101
Vulnerability from jvndb
Published
2023-10-16 16:11
Modified
2024-05-22 17:58
Severity ?
Summary
web2py vulnerable to OS command injection
Details
web2py web application framework contains an OS command injection vulnerability (CWE-78).
Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000101.html",
"dc:date": "2024-05-22T17:58+09:00",
"dcterms:issued": "2023-10-16T16:11+09:00",
"dcterms:modified": "2024-05-22T17:58+09:00",
"description": "web2py web application framework contains an OS command injection vulnerability (CWE-78).\r\n\r\nMasashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000101.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "8.1",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000101",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN80476432/index.html",
"@id": "JVN#80476432",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45158",
"@id": "CVE-2023-45158",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45158",
"@id": "CVE-2023-45158",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "web2py vulnerable to OS command injection"
}
jvndb-2013-000040
Vulnerability from jvndb
Published
2013-05-20 15:16
Modified
2013-05-20 15:16
Summary
Cross-site scripting vulnerability in the web2py social bookmarking widget
Details
The social bookmarking widget (share.js) in web2py contains a cross-site scripting vulnerability.
web2py is a framework for creating and designing web applications. The social bookmarking widget in web2py contains a cross-site scripting vulnerability.
Yuji Kosuga of Everforth Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000040.html",
"dc:date": "2013-05-20T15:16+09:00",
"dcterms:issued": "2013-05-20T15:16+09:00",
"dcterms:modified": "2013-05-20T15:16+09:00",
"description": "The social bookmarking widget (share.js) in web2py contains a cross-site scripting vulnerability.\r\n\r\nweb2py is a framework for creating and designing web applications. The social bookmarking widget in web2py contains a cross-site scripting vulnerability.\r\n\r\nYuji Kosuga of Everforth Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000040.html",
"sec:cpe": {
"#text": "cpe:/a:web2py:web2py",
"@product": "web2py",
"@vendor": "web2py",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-000040",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN10461119/index.html",
"@id": "JVN#10461119",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2311",
"@id": "CVE-2013-2311",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2311",
"@id": "CVE-2013-2311",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Cross-site scripting vulnerability in the web2py social bookmarking widget"
}
CVE-2023-45158 (GCVE-0-2023-45158)
Vulnerability from cvelistv5
Published
2023-10-16 07:53
Modified
2024-09-18 14:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- OS command injection
Summary
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/init/default/download"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN80476432/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:02:01.283678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:02:11.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "2.24.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OS command injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T07:53:52.134Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://web2py.com/"
},
{
"url": "http://web2py.com/init/default/download"
},
{
"url": "https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3"
},
{
"url": "https://jvn.jp/en/jp/JVN80476432/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45158",
"datePublished": "2023-10-16T07:53:52.134Z",
"dateReserved": "2023-10-04T23:39:17.361Z",
"dateUpdated": "2024-09-18T14:02:11.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33146 (GCVE-0-2022-33146)
Vulnerability from cvelistv5
Published
2022-06-27 00:20
Modified
2024-08-03 08:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Open Redirect
Summary
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:20.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "versions prior to 2.22.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T00:20:17",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-33146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "web2py",
"version": {
"version_data": [
{
"version_value": "versions prior to 2.22.5"
}
]
}
}
]
},
"vendor_name": "web2py"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://web2py.com/",
"refsource": "MISC",
"url": "http://web2py.com/"
},
{
"name": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"
},
{
"name": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451",
"refsource": "MISC",
"url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"
},
{
"name": "https://jvn.jp/en/jp/JVN02158640/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN02158640/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-33146",
"datePublished": "2022-06-27T00:20:17",
"dateReserved": "2022-06-14T00:00:00",
"dateUpdated": "2024-08-03T08:01:20.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22432 (GCVE-0-2023-22432)
Vulnerability from cvelistv5
Published
2023-03-05 00:00
Modified
2025-03-07 21:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Open Redirect
Summary
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/"
},
{
"tags": [
"x_transferred"
],
"url": "http://web2py.com/init/default/download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN78253670/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T21:44:47.079414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T21:45:54.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "web2py",
"vendor": "web2py",
"versions": [
{
"status": "affected",
"version": "versions prior to 2.23.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://web2py.com/"
},
{
"url": "http://web2py.com/init/default/download"
},
{
"url": "https://jvn.jp/en/jp/JVN78253670/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22432",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2022-12-28T00:00:00.000Z",
"dateUpdated": "2025-03-07T21:45:54.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}