PYSEC-2022-19 — Vulnetix

PYSEC-2022-19 PUBLISHED CVSS 9.300000190734863 CRITICAL

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	django	2.2, 3.2, 4.0

Timeline

Feb 3, 2022 CVE Published
Dec 6, 2023 CVE Updated

References

https://docs.djangoproject.com/en/4.0/releases/security/ url
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ article
https://groups.google.com/forum/#!forum/django-announce url
https://github.com/advisories/GHSA-95rw-fx8r-36v6 advisory

Open in Interactive Console →