Massimo Di Pierro

6 exploits Active since Feb 2018
CVE-2016-3957 NOMISEC CRITICAL WORKING POC
web2py < 2.14.2 - Remote Code Execution via Pickle Deserialization in Session Cookie
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
CVSS 9.8
CVE-2016-3957 WRITEUP CRITICAL WRITEUP
web2py < 2.14.2 - Remote Code Execution via Pickle Deserialization in Session Cookie
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
CVSS 9.8
CVE-2022-33146 WRITEUP MEDIUM WRITEUP
web2py < 2.22.5 - Open Redirect via Crafted URL
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
CVSS 6.1
CVE-2023-45158 WRITEUP CRITICAL WRITEUP
web2py < 2.24.1 - OS Command Injection via notifySendHandler Logging
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
CVSS 9.8
CVE-2022-33146 WRITEUP MEDIUM WRITEUP
web2py < 2.22.5 - Open Redirect via Crafted URL
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
CVSS 6.1
CVE-2026-25198 WRITEUP MEDIUM WRITEUP
web2py <= 2.27.1-stable+timestamp.2023.11.16.08.03.57 - Open Redirect via Crafted URL
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
CVSS 4.7