Vulnerability	Vulnerable Version
C Class Pollution django-unicorn is an A magical full-stack framework for Django. Affected versions of this package are vulnerable to Class Pollution in the `set_property_value()` function. An attacker can manipulate the Python runtime environment and trigger unintended behaviors by providing malicious values in a component request. The `property_name` parameter accepts directory-traversing pathname values, which the attacker can use to point to an arbitrary location in the Python runtime, and the `property_value` can hold an arbitrary malicious value, including a global (`__`/dunder) property. Several kinds of undesirable impact have been demonstrated based on the manipulation of other modules by polluting their dependency paths in this way. Impacts include cross-site scripting, denial of service and authentication bypass by overwriting a secret key. How to fix Class Pollution? Upgrade `django-unicorn` to version 0.62.0 or higher.	[,0.62.0)

Class Pollution

django-unicorn is an A magical full-stack framework for Django.

Affected versions of this package are vulnerable to Class Pollution in the set_property_value() function. An attacker can manipulate the Python runtime environment and trigger unintended behaviors by providing malicious values in a component request. The property_name parameter accepts directory-traversing pathname values, which the attacker can use to point to an arbitrary location in the Python runtime, and the property_value can hold an arbitrary malicious value, including a global (__/dunder) property.

Several kinds of undesirable impact have been demonstrated based on the manipulation of other modules by polluting their dependency paths in this way. Impacts include cross-site scripting, denial of service and authentication bypass by overwriting a secret key.

How to fix Class Pollution?

Upgrade django-unicorn to version 0.62.0 or higher.

[,0.62.0)

Go back to all versions of this package