CVE-2022-22818

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-22818

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22818.json

Aliases

BIT-django-2022-22818
GHSA-95rw-fx8r-36v6
PYSEC-2022-19

Related

DLA-2906-1
DLA-3191-1
DSA-5254-1
RLSA-2022:5498
RLSA-2022:8506
USN-5269-1
USN-5269-2

Published

2022-02-03T02:15:07Z

Modified

2023-12-06T01:01:58.226668Z

Details

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

References

https://security.netapp.com/advisory/ntap-20220221-0003/
https://www.debian.org/security/2022/dsa-5254
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
https://docs.djangoproject.com/en/4.0/releases/security/
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

Affected packages

Git / github.com/django/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

b6475d7d7940f3ce575e0b0f2d83e517f899b4cf

Fixed

fdf209eab8949ddc345aa0212b349c79fc6fdebb

Introduced

67d0c4644acfd7707be4a31e8976f865509b09ac

Introduced

635d53a86a36cde7866b9caefeb64d809e6bfcd9

Affected versions

3.*

3.2

3.2.1

3.2.10

3.2.11

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9