Test ID:	1.3.6.1.4.1.25623.1.0.118200
Category:	Web application abuses
Title:	Python < 2.7.17, 3.x < 3.5.8, 3.6.x < 3.6.10, 3.7.x < 3.7.5 XSS Vulnerability (bpo-38243) - Windows
Summary:	Python is prone to a reflected cross-site scripting (XSS); vulnerability.
Description:	Summary: Python is prone to a reflected cross-site scripting (XSS) vulnerability. Vulnerability Insight: The documentation XML-RPC server has XSS via the 'server_title' field. This occurs in 'Lib/DocXMLRPCServer.py' in Python 2.x, and in 'Lib/xmlrpc/server.py' in Python 3.x. If 'set_server_title' is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. Affected Software/OS: Python prior to version 2.7.17, versions 3.x prior to 3.5.8, 3.6.x prior to 3.6.10 and 3.7.x prior to 3.7.5. Solution: The vendor has released updates. Please see the references for more information. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-16935 https://security.netapp.com/advisory/ntap-20191017-0004/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/ https://bugs.python.org/issue38243 https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897 https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213 https://github.com/python/cpython/pull/16373 https://www.oracle.com/security-alerts/cpujul2020.html https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html SuSE Security Announcement: openSUSE-SU-2019:2389 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html SuSE Security Announcement: openSUSE-SU-2019:2393 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html SuSE Security Announcement: openSUSE-SU-2019:2438 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html SuSE Security Announcement: openSUSE-SU-2019:2453 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html SuSE Security Announcement: openSUSE-SU-2020:0086 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html https://usn.ubuntu.com/4151-1/ https://usn.ubuntu.com/4151-2/
Copyright	Copyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.