Code Injection in Django
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated May 16, 2024
Package
Affected versions
< 1.4.11
>= 1.5.0, < 1.5.6
>= 1.6.0, < 1.6.3
Patched versions
1.4.11
1.5.6
1.6.3
Description
Published by the National Vulnerability Database
Apr 23, 2014
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Feb 23, 2023
Last updated
May 16, 2024
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
References