Exploit for #VU62050 SQL injection in Django

Published: 2022-04-25 | Updated: 2022-05-27

Vulnerability identifier: #VU62050

Vulnerability risk: High

CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2022-28346

CWE-ID: CWE-89

Exploitation vector: Network

Exploits in database: 4

May 27, 2022
- CVE-2022-28346 () [Github]
May 16, 2022
- CVE-2022-28346 (An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary ex [Github]
April 26, 2022
- CVE-2022-28346 (Django QuerySet.annotate(), aggregate(), extra() SQL 注入) [Github]
April 25, 2022
- CVE-2022-28346 (SQL injection in QuerySet.annotate(), aggregate(), and extra()) [Github]

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation