CVE-2016-10516
Published: 23 October 2017
Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-werkzeug Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(0.12.2+dfsg1-2)
|
| trusty |
Released
(0.9.4+dfsg-1.1ubuntu2.1)
|
|
| upstream |
Released
(0.11.11)
|
|
| xenial |
Released
(0.10.4+dfsg1-1ubuntu1.1)
|
|
| zesty |
Not vulnerable
(0.11.15+dfsg1-1)
|
|
|
Patches: other: https://github.com/pallets/werkzeug/commit/1034edc7f901dd645ec6e462754111b39002bd65 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |