CVE-2024-41810 (Medium) detected in Twisted-20.3.0-cp37-cp37m-manylinux1_x86_64.whl

[mend-bolt-for-github[bot]]

CVE-2024-41810 - Medium Severity Vulnerability

Vulnerable Library - Twisted-20.3.0-cp37-cp37m-manylinux1_x86_64.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/b8/f9/489416dda6de8ae6419356bf003c10d1ce6fb8377b6a3207b02b3a39c42a/Twisted-20.3.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /etc/pip/external-auth-requirements.txt

Path to vulnerable library: /etc/pip/external-auth-requirements.txt,/src/third_party/wiredtiger/bench/workgen,/etc/pip/dev-requirements.txt,/src/third_party/wiredtiger/lang/python

Dependency Hierarchy: - :x: **Twisted-20.3.0-cp37-cp37m-manylinux1_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 9c4537f1af3987a4f237e73712977c87c207c818

Found in base branch: main

Vulnerability Details

Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.

Publish Date: 2024-07-29

URL: CVE-2024-41810

CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2

Release Date: 2024-07-29

Fix Resolution: tiwsted - 24.7.0

---

Step up your Open Source Security Game with Mend here