Search for vulnerabilities
Vulnerability details: VCID-g2ay-gsja-aaaj
Vulnerability ID VCID-g2ay-gsja-aaaj
Aliases CVE-2019-16935
Summary The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16935.html
rhas Moderate https://access.redhat.com/errata/RHSA-2020:1605
rhas Moderate https://access.redhat.com/errata/RHSA-2020:3888
rhas Moderate https://access.redhat.com/errata/RHSA-2020:3911
rhas Moderate https://access.redhat.com/errata/RHSA-2020:4285
rhas Moderate https://access.redhat.com/errata/RHSA-2020:4433
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16935.json
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00212 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00426 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00426 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00426 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00426 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00649 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00803 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2019-16935
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1763229
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935
cvssv3 5.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Low https://github.com/python/cpython/pull/16373
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2019-16935
cvssv3 6.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16935
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2019-16935
generic_textual Low https://ubuntu.com/security/notices/USN-4151-1
generic_textual Low https://ubuntu.com/security/notices/USN-4151-2
generic_textual Low https://usn.ubuntu.com/usn/usn-4151-1
generic_textual Low https://usn.ubuntu.com/usn/usn-4151-2
cvssv3.1 9.8 https://www.oracle.com/security-alerts/cpujul2020.html
generic_textual CRITICAL https://www.oracle.com/security-alerts/cpujul2020.html
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16935.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16935.json
https://api.first.org/data/v1/epss?cve=CVE-2019-16935
https://bugs.python.org/issue38243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897
https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213
https://github.com/python/cpython/pull/16373
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/
https://security.netapp.com/advisory/ntap-20191017-0004/
https://ubuntu.com/security/notices/USN-4151-1
https://ubuntu.com/security/notices/USN-4151-2
https://usn.ubuntu.com/4151-1/
https://usn.ubuntu.com/4151-2/
https://usn.ubuntu.com/usn/usn-4151-1
https://usn.ubuntu.com/usn/usn-4151-2
https://www.oracle.com/security-alerts/cpujul2020.html
1027149 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027149
1763229 https://bugzilla.redhat.com/show_bug.cgi?id=1763229
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2019-16935 https://nvd.nist.gov/vuln/detail/CVE-2019-16935
RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605
RHSA-2020:3888 https://access.redhat.com/errata/RHSA-2020:3888
RHSA-2020:3911 https://access.redhat.com/errata/RHSA-2020:3911
RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433
RHSA-2021:0949 https://access.redhat.com/errata/RHSA-2021:0949
USN-6891-1 https://usn.ubuntu.com/6891-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16935.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-16935
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-16935
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-16935
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujul2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.59471
EPSS Score 0.00212
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.