cbcvebase.
CVE-2024-41810
published 2024-07-29

CVE-2024-41810: Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection…

PriorityP334medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.11%
61.8th percentile
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.

Affected

21 ranges
VendorProductVersion rangeFixed in
debiantwisted< twisted 22.4.0-4+deb12u1 (bookworm)twisted 22.4.0-4+deb12u1 (bookworm)
msrcazl3_python-twisted_22.10.0-3_on_azure_linux_3.0
msrcazl3_python-twisted_22.10.0-4_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_python-twisted_22.10.0-3_on_cbl_mariner_2.0
msrccbl2_python-twisted_22.10.0-4_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
twistedtwisted<= 24.3.0
twistedtwisted>= 0 < 20.3.0-7+deb11u220.3.0-7+deb11u2
twistedtwisted>= 0 < 22.4.0-4+deb12u122.4.0-4+deb12u1
twistedtwisted>= 0 < 24.7.0-124.7.0-1
twistedtwisted>= 0 < 24.7.0-124.7.0-1
twistedtwisted>= 0 < 24.7.0rc124.7.0rc1
twistedtwisted>= 0 < 18.9.0-11ubuntu0.20.04.418.9.0-11ubuntu0.20.04.4
twistedtwisted>= 0 < 22.1.0-2ubuntu2.522.1.0-2ubuntu2.5
twistedtwisted>= 0 < 24.3.0-1ubuntu0.124.3.0-1ubuntu0.1
twistedtwisted>= 0 < 13.2.0-1ubuntu1.2+esm313.2.0-1ubuntu1.2+esm3
twistedtwisted>= 0 < 16.0.0-1ubuntu0.4+esm216.0.0-1ubuntu0.4+esm2
twistedtwisted>= 0 < 17.9.0-2ubuntu0.3+esm117.9.0-2ubuntu0.3+esm1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}?url=ws://example.com/">alert(document.domain)
cookieTWISTED_SESSION
otherLocation: ws://example.com/">alert(document.domain)
  • Look for HTTP 302 redirect responses with Content-Type: text/html where the Location header contains unsanitized user-supplied URL values including special characters such as quotes and angle brackets — indicative of the HTML injection in twisted.web.util.redirectTo.
  • Identify Twisted-based servers via Shodan/FOFA by searching for HTML responses containing both 'Twisted' and 'python' strings, then probe the redirect URL parameter for injection.
  • Confirm a vulnerable Twisted instance by checking the response for the TWISTED_SESSION cookie or the '["Twisted' string before attempting the XSS probe.
  • The vulnerability is exploitable only in Firefox; other browsers display an error and do not render the HTML body of the redirect response.
  • The injection point is the `url` query parameter passed to the redirectTo function; monitor for requests where this parameter contains HTML metacharacters (e.g., ", >, <, javascript:, ws://).
  • ·The XSS payload is only rendered (and thus exploitable) in Firefox; all other tested browsers show an error and do not render the HTML body of the 302 redirect response.
  • ·Exploitation requires that application code allows attacker-controlled input to reach the twisted.web.util.redirectTo function's URL argument.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv8.3HIGH
vendor_ubuntu8.3HIGH
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.