CVE-2024-41810
published 2024-07-29CVE-2024-41810: Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection…
PriorityP334medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.11%
61.8th percentile
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | twisted | < twisted 22.4.0-4+deb12u1 (bookworm) | twisted 22.4.0-4+deb12u1 (bookworm) |
| msrc | azl3_python-twisted_22.10.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-twisted_22.10.0-4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_python-twisted_22.10.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-twisted_22.10.0-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| twisted | twisted | <= 24.3.0 | — |
| twisted | twisted | >= 0 < 20.3.0-7+deb11u2 | 20.3.0-7+deb11u2 |
| twisted | twisted | >= 0 < 22.4.0-4+deb12u1 | 22.4.0-4+deb12u1 |
| twisted | twisted | >= 0 < 24.7.0-1 | 24.7.0-1 |
| twisted | twisted | >= 0 < 24.7.0-1 | 24.7.0-1 |
| twisted | twisted | >= 0 < 24.7.0rc1 | 24.7.0rc1 |
| twisted | twisted | >= 0 < 18.9.0-11ubuntu0.20.04.4 | 18.9.0-11ubuntu0.20.04.4 |
| twisted | twisted | >= 0 < 22.1.0-2ubuntu2.5 | 22.1.0-2ubuntu2.5 |
| twisted | twisted | >= 0 < 24.3.0-1ubuntu0.1 | 24.3.0-1ubuntu0.1 |
| twisted | twisted | >= 0 < 13.2.0-1ubuntu1.2+esm3 | 13.2.0-1ubuntu1.2+esm3 |
| twisted | twisted | >= 0 < 16.0.0-1ubuntu0.4+esm2 | 16.0.0-1ubuntu0.4+esm2 |
| twisted | twisted | >= 0 < 17.9.0-2ubuntu0.3+esm1 | 17.9.0-2ubuntu0.3+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP 302 redirect responses with Content-Type: text/html where the Location header contains unsanitized user-supplied URL values including special characters such as quotes and angle brackets — indicative of the HTML injection in twisted.web.util.redirectTo. ↗
- →Identify Twisted-based servers via Shodan/FOFA by searching for HTML responses containing both 'Twisted' and 'python' strings, then probe the redirect URL parameter for injection. ↗
- →Confirm a vulnerable Twisted instance by checking the response for the TWISTED_SESSION cookie or the '["Twisted' string before attempting the XSS probe. ↗
- →The vulnerability is exploitable only in Firefox; other browsers display an error and do not render the HTML body of the redirect response. ↗
- →The injection point is the `url` query parameter passed to the redirectTo function; monitor for requests where this parameter contains HTML metacharacters (e.g., ", >, <, javascript:, ws://). ↗
- ·The XSS payload is only rendered (and thus exploitable) in Firefox; all other tested browsers show an error and do not render the HTML body of the 302 redirect response. ↗
- ·Exploitation requires that application code allows attacker-controlled input to reach the twisted.web.util.redirectTo function's URL argument. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv8.3HIGH
vendor_ubuntu8.3HIGH
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
twisted vulnerabilities
osv·2024-09-04·CVSS 8.3
CVE-2024-41671 [HIGH] twisted vulnerabilities
twisted vulnerabilities
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
It was discovered that Twisted did not properly sanitize certain input.
An attacker could use this vulnerability to possibly execute an HTML
injection leading to a cross-site scripting (XSS) attack.
(CVE-2024-41810)
OSV
Twisted vulnerable to HTML injection in HTTP redirect body
osv·2024-07-29
CVE-2024-41810 [MEDIUM] Twisted vulnerable to HTML injection in HTTP redirect body
Twisted vulnerable to HTML injection in HTTP redirect body
### Summary
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
### Details
Twisted’s `redirectTo` function generates an `HTTP 302 Redirect` response. The response contains an HTML body, built for exceptional cases where the browser doesn’t properly handle the redirect, allowing the user to click a link, navigating them to the specified destination.
The function reflects the destination URL in the HTML body without any output encoding.
```python
# https://github.com/twisted/twisted/blob/trunk/src/twisted/web/_template_util.py
GHSA
Twisted vulnerable to HTML injection in HTTP redirect body
ghsa·2024-07-29
CVE-2024-41810 [MEDIUM] CWE-79 Twisted vulnerable to HTML injection in HTTP redirect body
Twisted vulnerable to HTML injection in HTTP redirect body
### Summary
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
### Details
Twisted’s `redirectTo` function generates an `HTTP 302 Redirect` response. The response contains an HTML body, built for exceptional cases where the browser doesn’t properly handle the redirect, allowing the user to click a link, navigating them to the specified destination.
The function reflects the destination URL in the HTML body without any output encoding.
```python
# https://github.com/twisted/twisted/blob/trunk/src/twisted/web/_template_util.py
OSV
CVE-2024-41810: Twisted is an event-based framework for internet applications, supporting Python 3
osv·2024-07-29·CVSS 6.1
CVE-2024-41810 [MEDIUM] CVE-2024-41810: Twisted is an event-based framework for internet applications, supporting Python 3
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2024-09-04·CVSS 8.3
CVE-2024-41810 [HIGH] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
It was discovered that Twisted did not properly sanitize certain input.
An attacker could use this vulnerability to possibly execute an HTML
injection leading to a cross-site scripting (XSS) attack.
(CVE-2024-41810)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-twisted: Reflected XSS via HTML Injection in Redirect Response
vendor_redhat·2024-07-29·CVSS 6.1
CVE-2024-41810 [MEDIUM] CWE-79 python-twisted: Reflected XSS via HTML Injection in Redirect Response
python-twisted: Reflected XSS via HTML Injection in Redirect Response
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
A Cross-site scripting (XSS) vulnerability exists in Python-Twisted in the twisted.web.util.redirectTo function. This flaw allows an attacker to control the redirect URL, leading to reflected XSS in the HTML body of the redirect response. If exploited, a remote attacker could inject malicious HTML, causing unauthorized JavaScript execution
Microsoft
HTML injection in HTTP redirect body
vendor_msrc·2024-07-09·CVSS 6.1
CVE-2024-41810 [MEDIUM] CWE-79 HTML injection in HTTP redirect body
HTML injection in HTTP redirect body
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.co
Debian
CVE-2024-41810: twisted - Twisted is an event-based framework for internet applications, supporting Python...
vendor_debian·2024·CVSS 6.1
CVE-2024-41810 [MEDIUM] CVE-2024-41810: twisted - Twisted is an event-based framework for internet applications, supporting Python...
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Scope: local
bookworm: resolved (fixed in 22.4.0-4+deb12u1)
bullseye: resolved (fixed in 20.3.0-7+deb11u2)
forky: resolved (fixed in 24.7.0-1)
sid: resolved (fixed in 24.7.0-1)
trixie: resolved (fixed in 24.7.0-1)
No detection rules found.
Nuclei
Twisted - Open Redirect & XSS
nuclei·CVSS 6.1
CVE-2024-41810 [MEDIUM] Twisted - Open Redirect & XSS
Twisted - Open Redirect & XSS
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The Twisted web framework's redirectTo function is vulnerable to reflected XSS if an attacker can control the redirect URL. This template tests for an open redirect and XSS vulnerability in the URL parameter. This vulnerability is fixed in 24.7.0rc1.
Template:
id: CVE-2024-41810
info:
name: Twisted - Open Redirect & XSS
author: KoYejune0302,cheoljun99,sim4110,gy741
severity: medium
description: |
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The Twisted web framework's redirectTo function is vulnerable to reflected XSS if an attacker can control the redirect URL. This template tests for an open redirect and XSS vulnerability in th
https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html
2024-07-29
Published