Vulnerability Details CVE-2020-7471
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.078
EPSS Ranking 91.6%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
Products affected by CVE-2020-7471
-
cpe:2.3:a:djangoproject:django:1.11
-
cpe:2.3:a:djangoproject:django:1.11.1
-
cpe:2.3:a:djangoproject:django:1.11.10
-
cpe:2.3:a:djangoproject:django:1.11.11
-
cpe:2.3:a:djangoproject:django:1.11.12
-
cpe:2.3:a:djangoproject:django:1.11.13
-
cpe:2.3:a:djangoproject:django:1.11.14
-
cpe:2.3:a:djangoproject:django:1.11.15
-
cpe:2.3:a:djangoproject:django:1.11.16
-
cpe:2.3:a:djangoproject:django:1.11.17
-
cpe:2.3:a:djangoproject:django:1.11.18
-
cpe:2.3:a:djangoproject:django:1.11.19
-
cpe:2.3:a:djangoproject:django:1.11.2
-
cpe:2.3:a:djangoproject:django:1.11.20
-
cpe:2.3:a:djangoproject:django:1.11.21
-
cpe:2.3:a:djangoproject:django:1.11.22
-
cpe:2.3:a:djangoproject:django:1.11.23
-
cpe:2.3:a:djangoproject:django:1.11.24
-
cpe:2.3:a:djangoproject:django:1.11.25
-
cpe:2.3:a:djangoproject:django:1.11.26
-
cpe:2.3:a:djangoproject:django:1.11.27
-
cpe:2.3:a:djangoproject:django:1.11.3
-
cpe:2.3:a:djangoproject:django:1.11.4
-
cpe:2.3:a:djangoproject:django:1.11.5
-
cpe:2.3:a:djangoproject:django:1.11.6
-
cpe:2.3:a:djangoproject:django:1.11.7
-
cpe:2.3:a:djangoproject:django:1.11.8
-
cpe:2.3:a:djangoproject:django:1.11.9
-
cpe:2.3:a:djangoproject:django:2.2
-
cpe:2.3:a:djangoproject:django:2.2.1
-
cpe:2.3:a:djangoproject:django:2.2.2
-
cpe:2.3:a:djangoproject:django:2.2.3
-
cpe:2.3:a:djangoproject:django:2.2.4
-
cpe:2.3:a:djangoproject:django:2.2.5
-
cpe:2.3:a:djangoproject:django:2.2.6
-
cpe:2.3:a:djangoproject:django:2.2.7
-
cpe:2.3:a:djangoproject:django:2.2.8
-
cpe:2.3:a:djangoproject:django:2.2.9
-
cpe:2.3:a:djangoproject:django:3.0
-
cpe:2.3:a:djangoproject:django:3.0.1
-
cpe:2.3:a:djangoproject:django:3.0.2