CVE-2024-21520

MEDIUM

djangorestframework < 3.15.2 - Cross-Site Scripting via break_long_headers Template Filter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-21520. PoCs published by ch4n3-yoon.

AI-analyzed exploit summary This repository contains a functional Django application demonstrating CVE-2024-21520, an HTTP Response Splitting vulnerability in the `XAccountView` endpoint. The `Content-Location` header is dynamically constructed from user input without proper sanitization, allowing header injection attacks.

Description

Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.

Exploits (1)

nomisec WORKING POC
by ch4n3-yoon · poc
https://github.com/ch4n3-yoon/CVE-2024-21520-Demo

This repository contains a functional Django application demonstrating CVE-2024-21520, an HTTP Response Splitting vulnerability in the `XAccountView` endpoint. The `Content-Location` header is dynamically constructed from user input without proper sanitization, allowing header injection attacks.

Classification
Working Poc 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: Django (specific version not specified, but likely affects versions using unvalidated headers)
No auth needed
Prerequisites: Access to the vulnerable endpoint (`/x-account/`)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.0840
EPSS Percentile 92.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
n/a/djangorestframework < 3.15.2
pypi/djangorestframework 0 - 3.15.2PyPI
Published Jun 26, 2024
Tracked Since Feb 18, 2026