CVE-2019-16935

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 28-09-2019 04:15

Last modified: - 19-01-2023 04:46

Total changes: - 3

Description

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

Low

Integrity

None

Privileges required

Changed

Scope

Required

User interaction

6.1

Base score

2.8

2.7

Exploitability score

Impact score

Verification logic

Reference

https://bugs.python.org/issue38243
https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213
https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897
https://github.com/python/cpython/pull/16373
USN-4151-1-Third Party Advisory
USN-4151-2-Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0004/
openSUSE-SU-2019:2389-Mailing List, Third Party Advisory
openSUSE-SU-2019:2393-Mailing List, Third Party Advisory
openSUSE-SU-2019:2438-Mailing List, Third Party Advisory
openSUSE-SU-2019:2453-Mailing List, Third Party Advisory
FEDORA-2019-0d3fcae639-Mailing List, Third Party Advisory
FEDORA-2019-b06ec6159b-Mailing List, Third Party Advisory
FEDORA-2019-74ba24605e-Mailing List, Third Party Advisory
FEDORA-2019-d202cda4f8-Mailing List, Third Party Advisory
FEDORA-2019-758824a3ff-Mailing List, Third Party Advisory
FEDORA-2019-57462fa10d-Mailing List, Third Party Advisory
FEDORA-2019-7ec5bb5d22-Mailing List, Third Party Advisory
FEDORA-2019-a268ba7b23-Mailing List, Third Party Advisory
openSUSE-SU-2020:0086-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update-Mailing List, Third Party Advisory
[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update-Mailing List, Third Party Advisory

Keywords

CVE-2019-16935

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2019-16935

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures