GoogleOSV:GHSA-M4M5-J36M-8X72html injection vulnerability in the `tuitse_html` function.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
20.6%
Impact
When using tuitse_html without quoting the input, there is a html injection vulnerability. It should use the django version django.utils.html.format_html, instead of string.format()
Patches
Upgrade to version 1.3.2.
Workarounds
Sanitizing Taigi input with HTML quotation.
References
References
github.com/i3thuan5/TuiTse-TsuSin
github.com/i3thuan5/TuiTse-TsuSin/commit/9d21d99d7cfcd7c42aade251fab98ec102e730ea
github.com/i3thuan5/TuiTse-TsuSin/pull/22
github.com/i3thuan5/TuiTse-TsuSin/security/advisories/GHSA-m4m5-j36m-8x72
github.com/pypa/advisory-database/tree/main/vulns/tuitse-tsusin/PYSEC-2024-22.yaml
nvd.nist.gov/vuln/detail/CVE-2024-23341
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
20.6%