CVE-2022-22818 — Cross-site Scripting in Django

CWE-79 — Cross-site Scripting11 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

1.0%

top 22.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Debian Linux Fedoraproject Fedora

Timeline

PublishedFeb 3

Latest updateFeb 7

Description

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDdjangoproject/django2.2 — 2.2.27+2

▶PyPIdjangoproject/django2.2 — 2.2.27+2

Also affects: Debian Linux 11.0, Fedora 35

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

OSV

python-django vulnerabilities↗2022-02-07

▶

GHSA

Cross-site Scripting in Django↗2022-02-04

▶

OSV

Cross-site Scripting in Django↗2022-02-04

▶

OSV

CVE-2022-22818: The {% debug %} template tag in Django 2↗2022-02-03

▶

CVEList

CVE-2022-22818: The {% debug %} template tag in Django 2↗2022-02-03

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2022-02-07

▶

Ubuntu

Django vulnerabilities↗2022-02-03

▶

Red Hat

django: Possible XSS via '{% debug %}' template tag↗2022-02-01

▶

Debian

CVE-2022-22818: python-django - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and...↗2022

▶