Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
References: [1] https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33 (24.7.0rc1) [2] https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2
Important info from https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2: Note: Due to the different ways browsers validate the redirect Location header, this attack is possible only in Firefox. All other tested browsers will display an error message to the user and will not render the HTML body.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:7312 https://access.redhat.com/errata/RHSA-2024:7312