Description

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Remediation

References

CVE-2021-35042

Related Vulnerabilities

Caddy Web Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-28923)

WordPress Plugin Database for Contact Form 7, WPforms, Elementor forms Cross-Site Scripting (1.3.8)

WordPress Plugin WP Flash Player Multiple Cross-Site Scripting Vulnerabilities (1.3)

WordPress Plugin WP eCommerce HTML Injection (3.8.7.1)

WordPress Plugin Dokan-Best WooCommerce Multivendor Marketplace Solution-Build Your Own Amazon, eBay, Etsy Security Bypass (2.9.4)

Severity

Critical

Classification

CVE-2021-35042 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities