Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-41810

CWE-79Cross-site Scripting (XSS)CWE-8011 documents9 sources
Severity
6.1MEDIUM
EPSS
67.8%
top 1.41%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Twisted Twisted
Timeline
PublishedJul 29
Latest updateSep 4

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

PyPItwisted< 24.7.0rc1
Debiantwisted< 20.3.0-7+deb11u2+3
Ubuntutwisted< 18.9.0-11ubuntu0.20.04.4+5
CVEListV5twisted/twisted24.3.0
NVDtwisted/twisted24.3.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
twisted vulnerabilities2024-09-04
CVEList
HTML injection in HTTP redirect body2024-07-29
OSV
Twisted vulnerable to HTML injection in HTTP redirect body2024-07-29
GHSA
Twisted vulnerable to HTML injection in HTTP redirect body2024-07-29
OSV
CVE-2024-41810: Twisted is an event-based framework for internet applications, supporting Python 32024-07-29

💥Exploits & PoCs

1
Nuclei
Twisted - Open Redirect & XSS

📋Vendor Advisories

4
Ubuntu
Twisted vulnerabilities2024-09-04
Red Hat
python-twisted: Reflected XSS via HTML Injection in Redirect Response2024-07-29
Microsoft
HTML injection in HTTP redirect body2024-07-09
Debian
CVE-2024-41810: twisted - Twisted is an event-based framework for internet applications, supporting Python...2024
CVE-2024-41810 (MEDIUM CVSS 6.1) | Twisted is an event-based framework | cvebase.io