CVE-2024-41810
HTML injection in HTTP redirect body
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
A Cross-site scripting (XSS) vulnerability exists in Python-Twisted in the twisted.web.util.redirectTo function. This flaw allows an attacker to control the redirect URL, leading to reflected XSS in the HTML body of the redirect response. If exploited, a remote attacker could inject malicious HTML, causing unauthorized JavaScript execution within the victim's browser session. This issue can result in unauthorized access to the victim’s account and data or allow the attacker to perform operations on behalf of the victim.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-07-22 CVE Reserved
- 2024-07-29 CVE Published
- 2024-08-02 CVE Updated
- 2024-09-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2 | X_refsource_confirm | |
| https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-41810 | 2024-09-27 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2300497 | 2024-09-27 |