CVE-2019-16935

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-16935

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16935.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-16935

Aliases

PSF-2019-6

Downstream

ALPINE-CVE-2019-16935

DEBIAN-CVE-2019-16935

DLA-2280-1

DLA-2628-1

RHSA-2020:1605

RHSA-2020:3888

RHSA-2020:3911

RHSA-2020:4285

RHSA-2020:4433

SUSE-SU-2019:2743-1

SUSE-SU-2019:2748-1

SUSE-SU-2019:2748-2

SUSE-SU-2019:2802-1

SUSE-SU-2020:0114-1

SUSE-SU-2020:0234-1

SUSE-SU-2020:2699-1

SUSE-SU-2020:3930-1

UBUNTU-CVE-2019-16935

USN-4151-1

USN-4151-2

USN-6891-1

openSUSE-SU-2019:2389-1

openSUSE-SU-2019:2393-1

openSUSE-SU-2019:2438-1

openSUSE-SU-2019:2453-1

openSUSE-SU-2020:0086-1

openSUSE-SU-2020:2332-1

openSUSE-SU-2020:2333-1

openSUSE-SU-2024:11202-1

openSUSE-SU-2024:11284-1

Related

Published

2019-09-28T02:15:10Z

Modified

2025-08-09T20:01:26Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the servertitle field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If setserver_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c2f86d86e6c8f5fd1ef602128b537a48f3f5c063