CVE-2019-12308: Cross-site Scripting
(updated )
An issue was discovered in Django. The clickable
Current URL value displayed by the AdminURLFieldWidget
displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in a clickable JavaScript link.
References
- docs.djangoproject.com/en/dev/releases/1.11.21/
- docs.djangoproject.com/en/dev/releases/2.1.9/
- docs.djangoproject.com/en/dev/releases/2.2.2/
- docs.djangoproject.com/en/dev/releases/security/
- github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62
- github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
- github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
- github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008
- groups.google.com/forum/
- nvd.nist.gov/vuln/detail/CVE-2019-12308
- www.djangoproject.com/weblog/2019/jun/03/security-releases/
Detect and mitigate CVE-2019-12308 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →