vulnerability
FreeBSD: VID-1685144E-63FF-11EA-A93A-080027846A02 (CVE-2020-9402): Django -- potential SQL injection vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:P/I:P/A:P) | Feb 25, 2020 | Mar 12, 2020 | Oct 20, 2020 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Published
Feb 25, 2020
Added
Mar 12, 2020
Modified
Oct 20, 2020
Description
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Solution(s)
freebsd-upgrade-package-py27-django111freebsd-upgrade-package-py35-django111freebsd-upgrade-package-py35-django22freebsd-upgrade-package-py36-django111freebsd-upgrade-package-py36-django22freebsd-upgrade-package-py36-django30freebsd-upgrade-package-py37-django111freebsd-upgrade-package-py37-django22freebsd-upgrade-package-py37-django30freebsd-upgrade-package-py38-django111freebsd-upgrade-package-py38-django22freebsd-upgrade-package-py38-django30
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.