Japan Vulnerability NotesJVN:78253670JVN#78253670: web2py development tool vulnerable to open redirect
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
66.2%
The admin development tool included in the web2py source code contains an open redirect vulnerability (CWE-601).
According to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet.
Impact
When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Products Affected
- web2py versions prior to 2.23.1
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
66.2%