CVE-2019-16935 (NVD)

2019-09-28

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Products Ubuntu_linux, Debian_linux, Python
Type Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
First patch - None (likely due to unavailable code)
Links https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/
https://www.oracle.com/security-alerts/cpujul2020.html
https://bugs.python.org/issue38243
https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html