An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Open redirect vulnerability in web2py allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
The sample web application in web2py might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
web2py allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status.
web2py does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
Web2py is affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged-in user to perform some unwanted actions. An attacker can trick a victim to disable the installed application just by sending a URL to victim.