[Snyk: Critical/High] Django SQL Injection and Command Injection due by 01/10/2025 #6591
Labels
Milestone
Comments
pkfec
added
Security: high
pkfec
changed the title
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[SNYK: Critical] Django SQL Injection :
https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-8456316
Introduced through
[email protected], [email protected] and others
Fixed in
[email protected], @5.0.10, @5.1.4
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 9.3 - Critical Severity | CVSS v3.1 9.1 - Critical Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to SQL Injection via the django.db.models.fields.json.HasKey lookup on Oracle, if untrusted data is used as a lhs value. An attacker can manipulate SQL queries and access or alter database information.
Note: Applications that use the jsonfield.has_key lookup through the __ syntax are unaffected.
[SNYK: High] Django Command Injection:
https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-8456315
Introduced through
[email protected], [email protected] and others
Fixed in
[email protected], @5.0.10, @5.1.4
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 7.1 - High Severity | CVSS v3.1 6.5 - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Command Injection via certain inputs containing large sequences of nested incomplete HTML entities submitted to the strip_tags function and striptags template filter. An attacker can cause the application to consume excessive resources.
Action items
Completion criteria
The text was updated successfully, but these errors were encountered: