CVE-2019-12308 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Cross-site scripting |
| Description | The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-970 | python2-django | 1.11.20-1 | 1.11.21-1 | Medium | Fixed | |
| AVG-969 | python-django | 2.2.1-1 | 2.2.2-1 | Medium | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 04 Jun 2019 | ASA-201906-2 | AVG-969 | python-django | Medium | cross-site scripting |
| 04 Jun 2019 | ASA-201906-1 | AVG-970 | python2-django | Medium | cross-site scripting |
| References |
|---|
https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673 https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b |