Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNG01LWozNm0tOHg3Ms4AA4nV
html injection vulnerability in the `tuitse_html` function.
Impact
When using tuitse_html without quoting the input, there is a html injection vulnerability. It should use the django version django.utils.html.format_html, instead of string.format()
Patches
Upgrade to version 1.3.2.
Workarounds
Sanitizing Taigi input with HTML quotation.
References
https://github.com/i3thuan5/TuiTse-TsuSin/pull/22
Permalink: https://github.com/advisories/GHSA-m4m5-j36m-8x72JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNG01LWozNm0tOHg3Ms4AA4nV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-m4m5-j36m-8x72, CVE-2024-23341
References:
- https://github.com/i3thuan5/TuiTse-TsuSin/security/advisories/GHSA-m4m5-j36m-8x72
- https://github.com/i3thuan5/TuiTse-TsuSin/pull/22
- https://nvd.nist.gov/vuln/detail/CVE-2024-23341
- https://github.com/i3thuan5/TuiTse-TsuSin/commit/9d21d99d7cfcd7c42aade251fab98ec102e730ea
- https://github.com/pypa/advisory-database/tree/main/vulns/tuitse-tsusin/PYSEC-2024-22.yaml
- https://github.com/advisories/GHSA-m4m5-j36m-8x72
Blast Radius: 0.0
Affected Packages
pypi:TuiTse-TsuSin
Dependent packages: 0Dependent repositories: 1
Downloads: 771 last month
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1
All unaffected versions: 1.3.2