CVE-2024-21520
Cross-site Scripting (XSS) vulnerability in djangorestframework (PyPI)
What is CVE-2024-21520 About?
This is a Cross-site Scripting (XSS) vulnerability found in djangorestframework's `break_long_headers` template filter. It arises from improper input sanitization, allowing attackers to inject malicious scripts into web pages. Exploitation is typically moderate, requiring specially crafted input that is then rendered by the vulnerable filter, leading to client-side code execution.
Affected Software
Technical Details
The vulnerability resides in the break_long_headers template filter within djangorestframework versions prior to 3.15.2. This filter is designed to split and join long header strings using <br> tags to improve readability. However, due to improper sanitization of the input string before these operations, an attacker can inject arbitrary HTML or JavaScript code. When the unsanitized input, containing malicious script tags or attributes, is passed through this filter and subsequently rendered in a user's browser, the injected code will execute in the context of the user's browser session. This mechanism allows for classic XSS attacks, leveraging the break tags as points of injection.
What is the Impact of CVE-2024-21520?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, manipulate content, steal session cookies, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2024-21520?
Exploitation of this XSS vulnerability is of moderate complexity. It requires the attacker to submit input that will be processed by the break_long_headers filter and subsequently rendered in a web page visible to other users. No specific authentication or high privileges are needed beyond the ability to contribute data that passes through this vulnerable filter, typically via user-generated content or input fields. This is a remote exploitation scenario. The primary prerequisites are an unpatched djangorestframework instance and a mechanism for the attacker's input to be rendered by an unsuspecting victim's browser. Risk factors are increased in applications that display user-supplied text directly or with minimal sanitization using this filter.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| ch4n3-yoon | Link | A demonstration of common XSS vulnerabilities in Django Rest Framework applications. This repository showcases intentionally vulnerable code to educate developers on identifying and mitigating XSS... |
What are the Available Fixes for CVE-2024-21520?
About the Fix from Resolved Security
Available Upgrade Options
- djangorestframework
- <3.15.2 → Upgrade to 3.15.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/encode/django-rest-framework/compare/3.15.1...3.15.2
- https://github.com/encode/django-rest-framework/pull/9435
- https://github.com/encode/django-rest-framework/commit/3b41f0124194430da957b119712978fa2266b642
- https://osv.dev/vulnerability/GHSA-gw84-84pc-xp82
- https://security.snyk.io/vuln/SNYK-PYTHON-DJANGORESTFRAMEWORK-7252137
- https://nvd.nist.gov/vuln/detail/CVE-2024-21520
- https://github.com/encode/django-rest-framework
- https://github.com/encode/django-rest-framework/compare/3.15.1...3.15.2
- https://security.snyk.io/vuln/SNYK-PYTHON-DJANGORESTFRAMEWORK-7252137
- https://github.com/encode/django-rest-framework/pull/9435
What are Similar Vulnerabilities to CVE-2024-21520?
Similar Vulnerabilities: CVE-2023-46233 , CVE-2022-38662 , CVE-2021-39149 , CVE-2020-28154 , CVE-2019-10200
