CVE-2022-22818
published 2022-02-03CVE-2022-22818: The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
3.33%
87.1th percentile
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 2:3.2.12-1 (bookworm) | python-django 2:3.2.12-1 (bookworm) |
| djangoproject | django | >= 2.2 < 2.2.27 | 2.2.27 |
| djangoproject | django | >= 2.2 < 2.2.27 | 2.2.27 |
| djangoproject | django | >= 3.2 < 3.2.12 | 3.2.12 |
| djangoproject | django | >= 3.2 < 3.2.12 | 3.2.12 |
| djangoproject | django | >= 4.0 < 4.0.2 | 4.0.2 |
| djangoproject | django | >= 4.0 < 4.0.2 | 4.0.2 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-django vulnerabilities
osv·2022-02-07·CVSS 6.1
CVE-2022-22818 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
USN-5269-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Keryn Knight discovered that Django incorrectly handled certain template
tags. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2022-22818)
Alan Ryan discovered that Django incorrectly handled file uploads. A remote
attacker could possibly use this issue to cause Django to hang, resulting
in a denial of service. (CVE-2022-23833)
GHSA
Cross-site Scripting in Django
ghsa·2022-02-04
CVE-2022-22818 [MEDIUM] CWE-79 Cross-site Scripting in Django
Cross-site Scripting in Django
The `{% debug %}` template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
OSV
Cross-site Scripting in Django
osv·2022-02-04
CVE-2022-22818 [MEDIUM] Cross-site Scripting in Django
Cross-site Scripting in Django
The `{% debug %}` template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
OSV
CVE-2022-22818: The {% debug %} template tag in Django 2
osv·2022-02-03·CVSS 6.1
CVE-2022-22818 [MEDIUM] CVE-2022-22818: The {% debug %} template tag in Django 2
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
OSV
python-django vulnerabilities
osv·2022-02-03·CVSS 6.1
CVE-2022-22818 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Keryn Knight discovered that Django incorrectly handled certain template
tags. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2022-22818)
Alan Ryan discovered that Django incorrectly handled file uploads. A remote
attacker could possibly use this issue to cause Django to hang, resulting
in a denial of service. (CVE-2022-23833)
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-02-07·CVSS 6.1
CVE-2022-22818 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-5269-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Keryn Knight discovered that Django incorrectly handled certain template
tags. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2022-22818)
Alan Ryan discovered that Django incorrectly handled file uploads. A remote
attacker could possibly use this issue to cause Django to hang, resulting
in a denial of service. (CVE-2022-23833)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-02-03·CVSS 6.1
CVE-2022-22818 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Keryn Knight discovered that Django incorrectly handled certain template
tags. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2022-22818)
Alan Ryan discovered that Django incorrectly handled file uploads. A remote
attacker could possibly use this issue to cause Django to hang, resulting
in a denial of service. (CVE-2022-23833)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: Possible XSS via '{% debug %}' template tag
vendor_redhat·2022-02-01·CVSS 6.1
CVE-2022-22818 [MEDIUM] CWE-79 django: Possible XSS via '{% debug %}' template tag
django: Possible XSS via '{% debug %}' template tag
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
A flaw was found in Django. The ``{% debug %}`` template tag did not properly encode the current context, posing a Cross-site scripting attack vector (XSS).
Package: python-django (Red Hat Ansible Automation Platform 1.2) - Will not fix
Package: python-django (Red Hat Ansible Automation Platform 2) - Will not fix
Package: django (Red Hat Ansible Tower 3) - Will not fix
Package: calamari-server (Red Hat Ceph Storage 2) - Out of support scope
Package: python-django (Red Hat Ceph Storage 2) - Out of support scope
Package: python-django (Red Hat Ceph Storage 3) - Out of s
Debian
CVE-2022-22818: python-django - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and...
vendor_debian·2022·CVSS 6.1
CVE-2022-22818 [MEDIUM] CVE-2022-22818: python-django - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and...
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Scope: local
bookworm: resolved (fixed in 2:3.2.12-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 2:3.2.12-1)
sid: resolved (fixed in 2:3.2.12-1)
trixie: resolved (fixed in 2:3.2.12-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/https://security.netapp.com/advisory/ntap-20220221-0003/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/feb/01/security-releases/https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/https://security.netapp.com/advisory/ntap-20220221-0003/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
2022-02-03
Published