832491 – (CVE-2022-22818, CVE-2022-23833) <dev-python/django-{4.0.2,3.2.12,2.2.27}: possible XSS via {% debug %} tag & DoS in file uploads

Bug 832491 (CVE-2022-22818, CVE-2022-23833) - <dev-python/django-{4.0.2,3.2.12,2.2.27}: possible XSS via {% debug %} tag & DoS in file uploads

Summary: <dev-python/django-{4.0.2,3.2.12,2.2.27}: possible XSS via {% debug %} tag & ...

Status:	IN_PROGRESS

Alias:	CVE-2022-22818, CVE-2022-23833

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	832495 832496 832497
Blocks:
	Show dependency tree

Reported:	2022-02-01 08:38 UTC by Michał Górny
Modified:	2022-02-03 01:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-02-01 08:38:48 UTC

CVE-2022-22818: Possible XSS via {% debug %} template tag
---------------------------------------------------------
The {% debug %} template tag didn’t properly encode the current context, posing an XSS attack vector.

In order to avoid this vulnerability, {% debug %} no longer outputs an information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True.



CVE-2022-23833: Denial-of-service possibility in file uploads
-------------------------------------------------------------
Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Comment 1 John Helmert III archtester

2022-02-02 04:01:04 UTC

Thanks for reporting!

Comment 2 Michał Górny archtester

2022-02-02 15:37:10 UTC

cleanup done

Comment 3 John Helmert III archtester

2022-02-03 01:20:17 UTC

Thanks!