CVE-2024-21520

2024-06-2605:15:50

Debian Security Bug Tracker

security-tracker.debian.org

djangorestframework cross-site scripting input sanitization

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.

OSVersionArchitecturePackageVersionFilename
Debian12alldjangorestframework<= 3.14.0-2+deb12u1djangorestframework_3.14.0-2+deb12u1_all.deb
Debian11alldjangorestframework<= 3.12.1-1djangorestframework_3.12.1-1_all.deb
Debian999alldjangorestframework< 3.15.2-1djangorestframework_3.15.2-1_all.deb
Debian13alldjangorestframework<= 3.15.1-2djangorestframework_3.15.1-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	djangorestframework	<= 3.14.0-2+deb12u1	djangorestframework_3.14.0-2+deb12u1_all.deb
Debian	11	all	djangorestframework	<= 3.12.1-1	djangorestframework_3.12.1-1_all.deb
Debian	999	all	djangorestframework	< 3.15.2-1	djangorestframework_3.15.2-1_all.deb
Debian	13	all	djangorestframework	<= 3.15.1-2	djangorestframework_3.15.1-2_all.deb