{
  "schema_version": "1.4.0",
  "id": "GHSA-785h-76cm-cpmf",
  "modified": "2025-03-26T20:34:02Z",
  "published": "2025-03-26T20:34:02Z",
  "aliases": [],
  "summary": "Django TomSelect incomplete escaping of dangerous characters in widget attributes",
  "details": "### Summary\nUser supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags.\n\n### Details\nAttributes passed to the widget (such as `label_field`) containing `<`, `>`, and similar tokens are not fully escaped. This results in some raw values reaching the widget, and rendering in part or fully.\n\nFor example, a label of: `\"Test User <script>I can pass this to the label_field and it gets rendered</script>\"` is rendered in the choices's label visually as `\"Test User \"` with the trailing space, and what appears as an un-executed script tag following it (which is visible when viewing source).\n\nThe actual output rendered in the browser for this example is: `<div role=\"option\" data-value=\"63f205b6\" class=\"item\" data-ts-item=\"\">Test User <script>I can pass this to the label_field and it gets rendered</script></div>`\n\nThe script tags appears to be valid in Chrome dev tools, but doesn't appear execute code.\n\n### Impact\nAlthough the risk may be mediated since the content within the rendered `<script></script>` tags does not seem to actually/immediately run, potential may exist for other ways of increasing the risk (e.g.: code injection).  In addition, the widget does not display correctly for valid strings containing `<` or `>`. Valid use-cases for printing these characters include widget label fields displaying email addresses (e.g.: `\"User Jane <user.jane@example.com>\"`\n\nBecause of the relatively small number of users at this moment, our plan to yank affected releases on PyPI and GitHub, and because raw text is rendered but does not seem to be executable, I am marking the Severity **Low**.\n\nUpdate to version **5.3.3**. The only difference from 5.3.2 is the code and documentation changes to resolve this vulnerability, so the update process should not be problematic.",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-tomselect"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2025.3.3"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OmenApps/django-tomselect/security/advisories/GHSA-785h-76cm-cpmf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OmenApps/django-tomselect/commit/0990ed36c8874f9d42fa9deff7734bf8dcd46d40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OmenApps/django-tomselect"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-26T20:34:02Z",
    "nvd_published_at": null
  }
}