.. _docxmlrpcserver-xss:

Reflected XSS in DocXMLRPCServer
================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2019-16935>`_.

DocXMLRPCServer does not escape the server title.

The attacker has to find a way to control the server title.

Dates:

* Disclosure date: **2019-09-21** (Python issue bpo-38243 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.7.17** (2019-10-19) fixed by `commit 8eb6415 (branch 2.7) <https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89>`_ (2019-10-01)
* Python **3.5.8** (2019-10-29) fixed by `commit 3fe1b19 (branch 3.5) <https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de>`_ (2019-10-29)
* Python **3.6.10** (2019-12-18) fixed by `commit 1698cac (branch 3.6) <https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389>`_ (2019-09-28)
* Python **3.7.5** (2019-10-14) fixed by `commit 39a0c75 (branch 3.7) <https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687>`_ (2019-09-27)
* Python **3.8.0** (2019-10-14) fixed by `commit 6447b9f (branch 3.8) <https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28>`_ (2019-09-27)

Python issue
------------

[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py.

* Python issue: `bpo-38243 <https://bugs.python.org/issue38243>`_
* Creation date: 2019-09-21
* Reporter: longwenzhang

CVE-2019-16935
--------------

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

* CVE ID: `CVE-2019-16935 <https://nvd.nist.gov/vuln/detail/CVE-2019-16935/>`_
* Published: 2019-09-28
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 4.3

Timeline
--------

Timeline using the disclosure date **2019-09-21** as reference:

* 2019-09-21: `Python issue bpo-38243 <https://bugs.python.org/issue38243>`_ reported by longwenzhang
* 2019-09-27 (**+6 days**): `commit 39a0c75 (branch 3.7) <https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687>`_
* 2019-09-27 (**+6 days**): `commit 6447b9f (branch 3.8) <https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28>`_
* 2019-09-28 (**+7 days**): CVE-2019-16935 published
* 2019-09-28 (**+7 days**): `commit 1698cac (branch 3.6) <https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389>`_
* 2019-10-01 (**+10 days**): `commit 8eb6415 (branch 2.7) <https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89>`_
* 2019-10-14: Python 3.8.0 released
* 2019-10-14 (**+23 days**): Python 3.7.5 released
* 2019-10-19 (**+28 days**): Python 2.7.17 released
* 2019-10-29 (**+38 days**): `commit 3fe1b19 (branch 3.5) <https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de>`_
* 2019-10-29 (**+38 days**): Python 3.5.8 released
* 2019-12-18 (**+88 days**): Python 3.6.10 released