CVE-2019-16935 — Cross-site Scripting in Python

CWE-79 — Cross-site Scripting21 documents8 sources

Severity

6.1MEDIUMNVD

OSV7.6OSV7.5

EPSS

2.3%

top 15.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jython Project Jython Python Debian Jython +4 more

Timeline

PublishedSep 28

Latest updateJul 11

Description

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDpython/python2.7.0 — 2.7.17+3

▶debiandebian/python2.7< jython 2.7.2+repack1-5 (bookworm)

▶debiandebian/pypy< jython 2.7.2+repack1-5 (bookworm)

▶debiandebian/jython< jython 2.7.2+repack1-5 (bookworm)

▶Debianjython_project/jython< 2.7.2+repack1-5+2

Also affects: Debian Linux 9.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.04

🔴Vulnerability Details

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

GHSA

GHSA-qhmv-wcg2-h8hx: The documentation XML-RPC server in Python through 2↗2022-05-24

▶

OSV

python2.7, python3.4 vulnerabilities↗2019-10-10

▶

OSV

python2.7, python3.5, python3.6, python3.7 vulnerabilities↗2019-10-09

▶

OSV

CVE-2019-16935: The documentation XML-RPC server in Python through 2↗2019-09-28

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Ubuntu

Python vulnerabilities↗2019-10-10

▶

Ubuntu

Python vulnerabilities↗2019-10-09

▶

Red Hat

python: XSS vulnerability in the documentation XML-RPC server in server_title field↗2019-09-21

▶

Debian

CVE-2019-16935: jython - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, an...↗2019

▶

💬Community

HackerOne

A reflected XSS in python/Lib/DocXMLRPCServer.py↗2019-10-19

▶

Bugzilla

CVE-2019-16935 python: XSS vulnerability in the documentation XML-RPC server in server_title field↗2019-10-18

▶

Bugzilla

CVE-2019-16935 python34: python: XSS vulnerability in the documentation XML-RPC server in server_title field [fedora-all]↗2019-10-18

▶

Bugzilla

CVE-2019-16935 python2: python: XSS vulnerability in the documentation XML-RPC server in server_title field [fedora-all]↗2019-10-18

▶

Bugzilla

CVE-2019-16935 python36: python: XSS vulnerability in the documentation XML-RPC server in server_title field [fedora-all]↗2019-10-18

▶