CVE-2016-10516
Published: 23 October 2017
Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.
Priority
Status
Package | Release | Status |
---|---|---|
python-werkzeug Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(0.12.2+dfsg1-2)
|
trusty |
Released
(0.9.4+dfsg-1.1ubuntu2.1)
|
|
upstream |
Released
(0.11.11)
|
|
xenial |
Released
(0.10.4+dfsg1-1ubuntu1.1)
|
|
zesty |
Not vulnerable
(0.11.15+dfsg1-1)
|
|
Patches: other: https://github.com/pallets/werkzeug/commit/1034edc7f901dd645ec6e462754111b39002bd65 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |