CVE-2024-23341: html injection vulnerability in the `tuitse_html` function.
(updated )
When using tuitse_html without quoting the input, there is a html injection vulnerability. It should use the django version django.utils.html.format_html, instead of string.format()
References
- github.com/advisories/GHSA-m4m5-j36m-8x72
- github.com/i3thuan5/TuiTse-TsuSin
- github.com/i3thuan5/TuiTse-TsuSin/commit/9d21d99d7cfcd7c42aade251fab98ec102e730ea
- github.com/i3thuan5/TuiTse-TsuSin/pull/22
- github.com/i3thuan5/TuiTse-TsuSin/security/advisories/GHSA-m4m5-j36m-8x72
- github.com/pypa/advisory-database/tree/main/vulns/tuitse-tsusin/PYSEC-2024-22.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-23341
Detect and mitigate CVE-2024-23341 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →