| Summary: | <dev-python/django-{4.0.2,3.2.12,2.2.27}: possible XSS via {% debug %} tag & DoS in file uploads | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B4 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 832495, 832496, 832497 | ||
| Bug Blocks: | |||
Thanks for reporting! cleanup done Thanks! |
CVE-2022-22818: Possible XSS via {% debug %} template tag --------------------------------------------------------- The {% debug %} template tag didn’t properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, {% debug %} no longer outputs an information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True. CVE-2022-23833: Denial-of-service possibility in file uploads ------------------------------------------------------------- Passing certain inputs to multipart forms could result in an infinite loop when parsing files.