CVE-2016-10516

CVE	CVE-2016-10516
State	PUBLISHED
Assigner	mitre
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-10-23 16:29:00 UTC
Updated	2025-04-20 01:37:25 UTC
Description	Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.

Primary CVSS: v3.0 6.1 MEDIUM from [email protected]

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem Types: CWE-79 | n/a

Version	Source	Type	Score	Severity	Vector
3.0	[email protected]	Primary	6.1	MEDIUM	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
2.0	[email protected]	Primary	4.3		`AV:N/AC:M/Au:N/C:N/I:P/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Type	Vendor	Product	Version	Update	Edition	Language
Application	Palletsprojects	Werkzeug	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

Reference	Source	Link	Tags
Flask Debugger页面上的通用XSS漏洞分析和挖掘过程记录 - Nearg1e	af854a3a-2127-422b-91ae-364da2661108	blog.neargle.com	Issue Tracking
[SECURITY] [DLA 1191-1] python-werkzeug security update	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org
Fix XSS in debugger by neargle · Pull Request #1001 · pallets/werkzeug · GitHub	af854a3a-2127-422b-91ae-364da2661108	github.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.