DEBIAN-CVE-2019-16935

Advisory lineage Upstream: 1 Downstream: 2

Upstream

CVE-2019-16935

Downstream

DLA-2280-1 DLA-2628-1

Published: 28 Sept 2019, 02:15

Last modified:28 Apr 2026, 20:20

Vulnerability Summary

Overall Risk (default)

low

24/100

CVSS Score

6.1 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 Sept 2019, 02:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:20

Last Modified

Vulnerability information updated

Description

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

CVSS Metrics

v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Systems

debian•jython
all | < 2.7.2+repack1-5 | < 2.7.2+repack1-5 | < 2.7.2+repack1-5
debian•pypy
< 7.3.2+dfsg-1
debian•python2.7
< 2.7.17~rc1-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2019-16935