| Package | python-django |
|---|---|
| Version | 1.7.11-1+deb8u15 |
| Related CVEs | CVE-2022-22818 CVE-2022-23833 |
It was discovered that there were two vulnerabilities in Django, the popular Python-based web development framework:
-
CVE-2022-22818: Possible XSS via the
{% debug %}template tag.The
{% debug %}template tag didn’t properly encode the current context, posing an XSS attack vector.In order to avoid this vulnerability,
{% debug %}no longer outputs information when theDEBUGsetting is False, and it ensures all context variables are correctly escaped when theDEBUGsetting isTrue. -
CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
For Debian 8 Jessie, these problems have been fixed in version 1.7.11-1+deb8u15.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.