web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HWeb2py
APPWeb2Py< 2.14.1
Related vulnerabilities
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to u...
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session in...
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via ...
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote...
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious ...