Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Django Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2022-28346)

Description

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Remediation

References

Related Vulnerabilities

Chamilo Missing Authorization Vulnerability (CVE-2026-33708)

WordPress Plugin SportsPress-Sports Club & League Manager Cross-Site Scripting (2.7.1)

ownCloud Other Vulnerability (CVE-2022-25338)

WordPress Plugin MF Gig Calendar 'page_id' Parameter Cross-Site Scripting (0.9.4.1)

Internet Information Services Other Vulnerability (CVE-2001-0508)

Severity

Critical

Classification

CVE-2022-28346 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities