Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Django Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2022-34265)

Description

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Remediation

References

Related Vulnerabilities

Oracle Application Server Other Vulnerability (CVE-2006-5365)

WordPress Plugin cformsII Multiple Cross-Site Scripting Vulnerabilities (14.13.2)

WordPress Plugin User Verification Security Bypass (1.0.93)

WordPress Plugin NextGEN Pro Cross-Site Scripting (3.1.9)

WordPress Plugin NextGEN Gallery-WordPress Gallery Unspecified Vulnerability (2.2.46)

Severity

Critical

Classification

CVE-2022-34265 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities