Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| Django(PyPI) | 0 | 1.11.28 | N/A |
| Django(PyPI) | 2.0 | 2.2.10 | N/A |
| Django(PyPI) | 3.0 | 3.0.3 | N/A |
CVSS Metrics
