CVE-2016-4808
published 2017-01-11CVE-2016-4808: Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform…
PriorityP349high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.74%
74.9th percentile
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| web2py | web2py | <= 2.14.5 | — |
| web2py | web2py | >= 0 < 2.14.6 | 2.14.6 |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Web2py Cross-Site Request Forgery vulnerability
osv·2022-05-17
CVE-2016-4808 [MEDIUM] Web2py Cross-Site Request Forgery vulnerability
Web2py Cross-Site Request Forgery vulnerability
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged-in administrator into performing unwanted actions i.e An attacker can trick a victim into disable the installed application just by visiting a URL.
GHSA
Web2py Cross-Site Request Forgery vulnerability
ghsa·2022-05-17
CVE-2016-4808 [MEDIUM] CWE-352 Web2py Cross-Site Request Forgery vulnerability
Web2py Cross-Site Request Forgery vulnerability
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged-in administrator into performing unwanted actions i.e An attacker can trick a victim into disable the installed application just by visiting a URL.
No detection rules found.
No writeups or analysis indexed.
2017-01-11
Published