Vulnerability identifier: #VU62050

Vulnerability risk: High

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-28346

CWE-ID: CWE-89

Exploitation vector: Network

Exploits in database: 4

• May 27, 2022
  • CVE-2022-28346 () [Github]
• May 16, 2022
  • CVE-2022-28346 (An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary ex [Github]
• April 26, 2022
  • CVE-2022-28346 (Django QuerySet.annotate(), aggregate(), extra() SQL 注入) [Github]
• April 25, 2022
  • CVE-2022-28346 (SQL injection in QuerySet.annotate(), aggregate(), and extra()) [Github]

Impact: Information disclosure and data manipulation

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation