CVE-2019-12308Cross-site Scripting in Django

CWE-79Cross-site Scripting13 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
1.5%
top 19.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedJun 3
Latest updateJul 8

Description

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDdjangoproject/django1.111.11.21+2
PyPIdjangoproject/django1.11a11.11.21+2

🔴Vulnerability Details

5
OSV
python-django vulnerabilities2019-07-01
OSV
Django Cross-site Scripting in AdminURLFieldWidget2019-06-10
GHSA
Django Cross-site Scripting in AdminURLFieldWidget2019-06-10
CVEList
CVE-2019-12308: An issue was discovered in Django 12019-06-03
OSV
CVE-2019-12308: An issue was discovered in Django 12019-06-03

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2019-07-01
Red Hat
django: missing URL validation by AdminURLFieldWidget leads to generation of clickable unsafe JavaScript link causing cross site scripting2019-06-03
Debian
CVE-2019-12308: python-django - An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2...2019

💬Community

4
Bugzilla
CVE-2019-12308 python-django: django: missing URL validation by AdminURLFieldWidget leads to generation of clickable unsafe JavaScript link causing cross site scripting [openstack-rdo]2019-07-08
Bugzilla
CVE-2019-12308 python-django: django: missing URL validation by AdminURLFieldWidget leads to generation of clickable unsafe JavaScript link causing cross site scripting [epel-7]2019-06-04
Bugzilla
CVE-2019-12308 python-django: django: missing URL validation by AdminURLFieldWidget leads to generation of clickable unsafe JavaScript link causing cross site scripting [fedora-30]2019-06-04
Bugzilla
CVE-2019-12308 django: missing URL validation by AdminURLFieldWidget leads to generation of clickable unsafe JavaScript link causing cross site scripting2019-05-31
CVE-2019-12308 — Cross-site Scripting in Django | cvebase