CVE-2022-22818

Advisory

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========================

*February 1, 2022*

Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.

CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================

The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================

Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
• https://docs.djangoproject.com/en/4.0/releases/security/
• https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
• https://groups.google.com/forum/#!forum/django-announce
• https://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
• https://security.netapp.com/advisory/ntap-20220221-0003/
• https://www.debian.org/security/2022/dsa-5254