{ "schema_version": "1.4.0", "id": "GHSA-7rp2-fm2h-wchj", "modified": "2024-09-20T16:03:27Z", "published": "2019-06-10T18:43:25Z", "aliases": [ "CVE-2019-12308" ], "summary": "Django Cross-site Scripting in AdminURLFieldWidget", "details": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.11a1" }, { "fixed": "1.11.21" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.1a1" }, { "fixed": "2.1.9" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2a1" }, { "fixed": "2.2.2" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12308" }, { "type": "WEB", "url": "https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62" }, { "type": "WEB", "url": "https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673" }, { "type": "WEB", "url": "https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b" }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4476" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4043-1" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202004-17" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Jul/10" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html" }, { "type": "WEB", "url": "https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml" }, { "type": "PACKAGE", "url": "https://github.com/django/django" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-7rp2-fm2h-wchj" }, { "type": "WEB", "url": "https://docs.djangoproject.com/en/dev/releases/security" }, { "type": "WEB", "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2" }, { "type": "WEB", "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9" }, { "type": "WEB", "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2019-06-10T18:41:42Z", "nvd_published_at": "2019-06-03T17:29:00Z" } }