Description
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Remediation
References
Related Vulnerabilities
WordPress Plugin Affiliates Manager Cross-Site Request Forgery (2.6.5)
MySQL CVE-2012-0117 Vulnerability (CVE-2012-0117)
WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.37)
Oracle Application Server Other Vulnerability (CVE-2004-1370)
WordPress Plugin PowerPack Pro for Elementor Privilege Escalation (2.10.14)