CVE-2024-22199

Name of the Vulnerable Software and Affected Versions Django template engine for Fiber versions prior to the latest patched version

Description This issue specifically impacts web applications that render user-supplied data through the Django template engine, potentially leading to the execution of malicious scripts in users' browsers when visiting affected web pages. The vulnerability allows for Cross-Site Scripting (XSS) attacks. The template engine now defaults to having autoescape set to true, effectively mitigating the risk of XSS attacks.

Recommendations For versions prior to the latest patched version, upgrade to the latest version of the Django template engine for Fiber, where this security update is implemented. As a temporary workaround for users unable to upgrade immediately, manually implement autoescaping within individual Django templates by adding specific tags to control autoescape behavior, such as {% autoescape on %} and {% endautoescape %}.