CVE-2019-12308 log

Source
Severity Medium
Remote Yes
Type Cross-site scripting
Description
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.
Group Package Affected Fixed Severity Status Ticket
AVG-970 python2-django 1.11.20-1 1.11.21-1 Medium Fixed
AVG-969 python-django 2.2.1-1 2.2.2-1 Medium Fixed
Date Advisory Group Package Severity Type
04 Jun 2019 ASA-201906-2 AVG-969 python-django Medium cross-site scripting
04 Jun 2019 ASA-201906-1 AVG-970 python2-django Medium cross-site scripting
References
https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b