CVE-2020-13596Cross-site Scripting in Django

CWE-79Cross-site Scripting18 documents8 sources
Severity
6.1MEDIUMNVD
OSV5.9
EPSS
1.0%
top 23.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Djangoproject DjangoCanonical Ubuntu LinuxDebian Linux+2 more
Timeline
PublishedJun 3
Latest updateJun 9

Description

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDdjangoproject/django2.22.2.13+1
PyPIdjangoproject/django2.2a12.2.13+1

Also affects: Debian Linux 10.0, 9.0, Fedora 32, Ubuntu Linux 14.04, 16.04, 18.04, 19.10, 20.04

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

6
GHSA
XSS in Django2020-06-05
OSV
XSS in Django2020-06-05
OSV
python-django vulnerabilities2020-06-04
OSV
python-django vulnerabilities2020-06-03
OSV
CVE-2020-13596: An issue was discovered in Django 22020-06-03

📋Vendor Advisories

4
Ubuntu
Django vulnerabilities2020-06-04
Red Hat
django: possible XSS via admin ForeignKeyRawIdWidget2020-06-03
Ubuntu
Django vulnerabilities2020-06-03
Debian
CVE-2020-13596: python-django - An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query ...2020

💬Community

7
Bugzilla
CVE-2020-13596 python2-django1.11: django: possible XSS via admin ForeignKeyRawIdWidget [fedora-all]2020-06-09
Bugzilla
CVE-2020-13596 python-django16: django: possible XSS via admin ForeignKeyRawIdWidget [epel-7]2020-06-03
Bugzilla
CVE-2020-13596 python-django: django: possible XSS via admin ForeignKeyRawIdWidget [fedora-all]2020-06-03
Bugzilla
CVE-2020-13596 python-django: django: possible XSS via admin ForeignKeyRawIdWidget [epel-all]2020-06-03
Bugzilla
CVE-2020-13596 django: possible XSS via admin ForeignKeyRawIdWidget2020-06-03
CVE-2020-13596 — Cross-site Scripting in Django | cvebase