25 matches found
Django: SQL injection in QuerySet.annotate(),aggregate() and extra()
A flaw was found in the Django package, which leads to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely...
PYSEC-2022-190
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL injection in column aliases via a crafted dictionary with dictionary expansion as the passed kwargs...
ALPINE-CVE-2019-14234
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to...
UBUNTU-CVE-2019-14234
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to...
mcholste Enterprise Log Search and Archive Cross-Site Scripting Vulnerability
mcholste Enterprise Log Search and Archive ELSA is an enterprise log search and archive system. A cross-site scripting vulnerability exists in the index view in mcholste ELSA version 1205, commit 2cc17f1 and earlier. A remote attacker can leverage the 'type', 'name', and 'value' parameters in...