1. XSS Vulnerability - There is a free parameter called "director" that didn't use in anything in both buy_card_view() and gift_card_view(). When I run a URL : http://127.0.0.1:8000/buy.html?director=<script>alert()</script>. It will show the XSS Vulnerability. The program stores "director" parameter and doesn't use director variable. Therefore, to fix this vulnerability, I just erase this parameter out of the code.
2. CSRF Vulnerability - In the gift_card_view(). When sending a gift to someone, the program allow to use GET request to send gift to someone. Therefore, if I send someone that use this service this link: http://127.0.0.1:8000/gift.html?username="test"&amount="100". I can trick someone to give me a gift card without their consent. To fix this vulnerability, I delete "request.method =="GET" and 'username' in request.GET" in the elif request.method == "POST" or request.method == "GET" and 'username' in request.GET: statement.
3.SQLi Vulnerability - In the use_card_view(), the program access to the SQL data. The signature parameter (in the .gftcrd file) directly input to the SQL. Therefore, I can manipulate the signature so that I can take the password of any user in it. In this case, I output the admin's password : "signature": "12345'union all select password from LegacySite_user where username = \"admin\" -- ". To fix this vulnerability, we need to build SQL by properly escaping args.
New code:  card_query = Card.objects.raw('select id from LegacySite_card where data LIKE %s', [signature])
4.Command Injection - This injection occurs in parse_card_data() in extras.py. This function link directly to the "NameYourCard" input in the use_card_view(). In the function: line  "ret_val = system(f"{CARD_PARSER} 2 {card_path_name} > tmp_file")" take user's input directly without sanitizing. Therefore we can use this to inject the command to the system. To fix this we need to sanitize the input before calling the function.