Django: Django: SQL Injection via crafted column aliases

A flaw was found in Django. This vulnerability allows a remote attacker to perform SQL injection by using specially crafted control characters within column aliases. When these crafted aliases are passed through dictionary expansion to QuerySet methods like annotate or values, it can lead to the...

SQL Injection

Django is vulnerable to SQL injection. The vulnerability is due to improper handling of column aliases in FilteredRelation when using dictionary expansion kwargs, where crafted keys containing control characters can manipulate SQL generation in methods such as annotate, aggregate, extra, values,...

UBUNTU-CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values and valueslist methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

Django: SQL injection in JSONField KeyTransform

A vulnerability was discovered in the JSONField KeyTransform functionality of Django. The vulnerability allowed SQL injection attacks by crafting malicious user input for the .values method. The vulnerability was demonstrated in the Django test suite, where a SQL syntax error was triggered by...

Async 安全漏洞

Async is a utility module from Caolan McMahon Personal Developer in the UK. It is intended for use with asynchronous JavaScript. A security vulnerability exists in Async 3.2.1 and earlier, which stems from the mapValues method. An attacker could gain privileges via the mapValues method...