[GHSA-794h-2c6j-qp4q] SQL injection vulnerability in rating.php in New 5 star...

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.72k stars 323 forks source link

[GHSA-794h-2c6j-qp4q] SQL injection vulnerability in rating.php in New 5 star... #4451

Closed MarkLee131 closed 3 months ago

MarkLee131 commented 4 months ago

Updates

Affected products
References
Source code location
Summary

Comments add 2 patches for django: https://github.com/django/django/commit/594a28a9044120bed58671dde8a805c9e0f6c79a https://github.com/django/django/commit/e3e992e18b368fcd56aabafc1b5bf80a6e11b495

darakian commented 4 months ago

@MarkLee131 was this PR created in error? It doesn't seem like it applies to django to me.

MarkLee131 commented 4 months ago

@darakian Hi, this cve was rooted in the TPL, but it caused the vulns within django. the detailed info can be accessed in https://docs.djangoproject.com/en/3.2/releases/security/#october-9-2009-cve-2009-3965.

darakian commented 4 months ago

@MarkLee131, I believe you may have actually discovered a typo in the django docs :) I think the actual CVE is https://nvd.nist.gov/vuln/detail/CVE-2009-3695 rather than https://nvd.nist.gov/vuln/detail/CVE-2009-3965

We have CVE-2009-3695 in our DB as well, but thank you for raising this. I've gone ahead and shared this with the django folk, so we can see if they agree https://code.djangoproject.com/ticket/35473#ticket