First published: Sat Sep 21 2019(Updated: )
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python3 | <0:3.6.8-17.el7 | 0:3.6.8-17.el7 |
redhat/python | <0:2.7.5-89.el7 | 0:2.7.5-89.el7 |
redhat/python3 | <0:3.6.8-31.el8 | 0:3.6.8-31.el8 |
redhat/rh-python36-python | <0:3.6.12-1.el6 | 0:3.6.12-1.el6 |
redhat/rh-python36-python-pip | <0:9.0.1-5.el6 | 0:9.0.1-5.el6 |
redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el6 | 0:15.1.0-3.el6 |
redhat/rh-python36-python | <0:3.6.12-1.el7 | 0:3.6.12-1.el7 |
redhat/rh-python36-python-pip | <0:9.0.1-5.el7 | 0:9.0.1-5.el7 |
redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el7 | 0:15.1.0-3.el7 |
ubuntu/python2.7 | <2.7.15-4ubuntu4~18.04.2 | 2.7.15-4ubuntu4~18.04.2 |
ubuntu/python2.7 | <2.7.16-2ubuntu0.2 | 2.7.16-2ubuntu0.2 |
ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.9 | 2.7.12-1ubuntu0~16.04.9 |
ubuntu/python3.4 | <3.4.3-1ubuntu1~14.04.7+ | 3.4.3-1ubuntu1~14.04.7+ |
ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.9 | 3.5.2-2ubuntu0~16.04.9 |
ubuntu/python3.6 | <3.6.8-1~18.04.3 | 3.6.8-1~18.04.3 |
ubuntu/python3.7 | <3.7.3-2ubuntu0.2 | 3.7.3-2ubuntu0.2 |
ubuntu/python3.7 | <3.7.5~ | 3.7.5~ |
>=2.7.0<2.7.17 | ||
>=3.0.0<3.5.8 | ||
>=3.6.0<3.6.10 | ||
>=3.7.0<3.7.5 | ||
=9.0 | ||
=12.04 | ||
=14.04 | ||
=16.04 | ||
=18.04 | ||
=19.04 | ||
Python Python | >=2.7.0<2.7.17 | |
Python Python | >=3.0.0<3.5.8 | |
Python Python | >=3.6.0<3.6.10 | |
Python Python | >=3.7.0<3.7.5 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
redhat/python | <2.7.17 | 2.7.17 |
redhat/python | <3.5.8 | 3.5.8 |
redhat/python | <3.6.10 | 3.6.10 |
redhat/python | <3.7.5 | 3.7.5 |
debian/jython | <=2.7.1+repack1-4~deb10u1<=2.7.2+repack1-3 | 2.7.3+repack1-1 |
debian/pypy | <=7.0.0+dfsg-3 | 7.3.3+dfsg-2 |
debian/python2.7 | 2.7.16-2+deb10u1 2.7.16-2+deb10u3 2.7.18-8+deb11u1 | |
debian/python3.7 | 3.7.3-2+deb10u3 3.7.3-2+deb10u6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-16935 is a reflected cross-site scripting (XSS) vulnerability found in the Python XML-RPC server.
The XSS vulnerability occurs in the server_title field of the XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4.
The severity of CVE-2019-16935 is medium with a CVSS score of 6.1.
Python versions 2.7.16, 3.6.9, and 3.7.x through 3.7.4 are affected by CVE-2019-16935.
To fix CVE-2019-16935, update Python to version 2.7.17, 3.5.8, 3.6.10, or 3.7.5 depending on the affected version.