CVE-2020-9402
HIGH NUCLEIDjango < 1.11.29 - SQL Injection
Title source: ruleDescription
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Nuclei Templates (1)
Django SQL Injection
HIGHby geeknik,0x_Akoko
Shodan:
cpe:"cpe:2.3:a:djangoproject:django"
References (10)
Scores
CVSS v3
8.8
EPSS
0.8551
EPSS Percentile
99.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (10)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.10
debian/debian_linux
9.0
debian/debian_linux
10.0
djangoproject/django
1.11 - 1.11.29
fedoraproject/fedora
31
fedoraproject/fedora
32
netapp/steelstore_cloud_integrated_storage
pypi/Django
1.11 - 1.11.29PyPI
Published
Mar 05, 2020
Tracked Since
Feb 18, 2026