CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 1CVE-2024-21520 – djangorestframework: Cross-site Scripting (XSS) via break_long_headers
https://notcve.org/view.php?id=CVE-2024-21520
26 Jun 2024 — Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with
tags. Las versiones del paquete djangorestframework anteriores a la 3.15.2 son vulnerables a Cross-site Scripting (XSS) a través del filtro de plantilla break_long_headers debido a una sanitización inadecuada de la entrada antes de dividir y unir con etiquetas
. A vulnerability was found... • https://github.com/ch4n3-yoon/CVE-2024-21520-Demo • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2024-27351 – python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
https://notcve.org/view.php?id=CVE-2024-27351
05 Mar 2024 — In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. En Django 3.2 anterior a 3.2.25, 4.2 anterior a 4.2.11 y 5.0 anterior a 5.0.3, el método django.utils.text.Truncator.words() (con html=True) y el filt... • http://www.openwall.com/lists/oss-security/2024/03/04/1 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-25045
https://notcve.org/view.php?id=CVE-2018-25045
23 Jul 2022 — Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping. El marco REST de Django (también se conoce como django-rest-framework) versiones anteriores a 3.9.1, permite un ataque de tipo XSS porque las plantillas de visualización de la API navegable de DRF por defecto deshabilitan el auto escapado • https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •