汇总 web2py 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 开放重定向、跨站脚本、路径处理缺陷与CSRF,在 软件部署与生产负载 使用场景中可能带来 文件覆盖与会话劫持 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2023-45158 | An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product. | [email protected] | 9.8 | 15.03% | 2023-10-16 | 2024-11-21 |
| CVE-2023-22432 | Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. | [email protected] | 6.1 | 40.76% | 2023-03-06 | 2025-03-07 |
| CVE-2022-33146 | Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. | [email protected] | 6.1 | 0.60% | 2022-06-27 | 2024-11-21 |
| CVE-2016-3957 | The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. | [email protected] | 9.8 | 12.74% | 2018-02-06 | 2024-11-21 |
| CVE-2016-3954 | web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957. | [email protected] | 5.5 | 0.39% | 2018-02-06 | 2024-11-21 |
| CVE-2016-3953 | The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. | [email protected] | 9.8 | 1.51% | 2018-02-06 | 2024-11-21 |
| CVE-2016-3952 | web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access. | [email protected] | 7.8 | 0.40% | 2018-02-06 | 2024-11-21 |
| CVE-2015-6961 | Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout. | [email protected] | 6.1 | 0.23% | 2017-10-18 | 2026-05-13 |
| CVE-2016-10321 | web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. | [email protected] | 9.8 | 0.47% | 2017-04-10 | 2026-05-13 |
| CVE-2016-4808 | Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim. | [email protected] | 8.8 | 0.23% | 2017-01-11 | 2026-05-06 |
| CVE-2016-4807 | Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin). | [email protected] | 4.8 | 0.41% | 2017-01-11 | 2026-05-06 |
| CVE-2016-4806 | Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files. | [email protected] | 7.5 | 6.72% | 2017-01-11 | 2026-05-06 |
| CVE-2013-2311 | Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | [email protected] | 4.3 | 0.25% | 2013-05-22 | 2026-04-29 |