CVE-2016-3953 – web2py

Package

Manager: pip
Name: web2py
Vulnerable Version: >=0 <2.14.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01507 pctl0.80488

Details

web2py remote code execution via hardcoded encryption key in session.connect function The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the `session.connect` function.

Metadata

Created: 2022-05-14T00:57:47Z
Modified: 2023-08-03T22:44:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q2rq-qgcf-m22w/GHSA-q2rq-qgcf-m22w.json
CWE IDs: ["CWE-798"]
Alternative ID: GHSA-q2rq-qgcf-m22w
Finding: F009
Auto approve: 1