Mark Ramm-Christensen

**Name of the Vulnerable Software and Affected Versions** TurboGears2 versions prior to 2.0.2 **Description** The default quickstart configuration has a weak cookie salt, making it easier for remote attackers to bypass authentication via a forged authorization cookie. **Recommendations** For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TurboGears2 versions prior to 2.0.2 **Description** The issue in TurboGears2 concerns the URL dispatch mechanism, which exposes controller methods even when an @expose decoration is not used. This has an unspecified impact and attack vectors. **Recommendations** For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue.