Описание
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
A Cross-site scripting (XSS) vulnerability exists in Python-Twisted in the twisted.web.util.redirectTo function. This flaw allows an attacker to control the redirect URL, leading to reflected XSS in the HTML body of the redirect response. If exploited, a remote attacker could inject malicious HTML, causing unauthorized JavaScript execution within the victim's browser session. This issue can result in unauthorized access to the victim’s account and data or allow the attacker to perform operations on behalf of the victim.
Отчет
The vulnerability is exploitable only in Firefox. All other tested browsers will display an error message to the user and will not render the HTML body.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | python3x-twisted | Affected | ||
| Red Hat Ansible Automation Platform 2 | python-twisted | Affected | ||
| Red Hat Enterprise Linux 6 | python-twisted | Out of support scope | ||
| Red Hat Enterprise Linux 6 | python-twisted-web | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python-twisted-web | Out of support scope | ||
| Red Hat OpenStack Platform 16.1 | python-twisted | Out of support scope | ||
| Red Hat OpenStack Platform 16.2 | python-twisted | Will not fix | ||
| Red Hat Storage 3 | python-carbon | Affected | ||
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | automation-controller | Fixed | RHSA-2024:7312 | 27.09.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.2 Medium
CVSS3
Связанные уязвимости
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Twisted is an event-based framework for internet applications, support ...
Twisted vulnerable to HTML injection in HTTP redirect body
EPSS
4.2 Medium
CVSS3