Published: 03/06/2019 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

An issue exists in Django 1.11 prior to 1.11.21, 2.1 prior to 2.1.9, and 2.2 prior to 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject django

Several security issues were fixed in Django ...

Debian Bug report logs - #931316 python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> ...

Debian Bug report logs - #929927 python-django: CVE-2019-12308: AdminURLFieldWidget XSS Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 3 Jun 2019 12:36:02 UTC Se ...

Three security issues were found in Django, a Python web development framework, which could result in denial of service, incomplete sanitisation of clickable links or missing redirects of HTTP requests to HTTPS For the stable distribution (stretch), these problems have been fixed in version 1:1107-2+deb9u5 We recommend that you upgrade your pyt ...

Impact: Moderate Public Date: 2019-06-03 CWE: CWE-79 Bugzilla: 1715915: CVE-2019-12308 django: missing ...

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link AdminURLFieldWidget now validates the provided value using URLVali ...

A collection of Django security-related tools and libs.

List inspired by the awesome list thing Supported by: Vinta Software Awesome Django Security A collection of Django security-related tools and topics If you are concerned about security and use django for productivity, this can be of help If you'd like to contribute to this list, simply open a PR with your additions Maintained by @tcostam If you have contributions b

CWE-79 https://www.djangoproject.com/weblog/2019/jun/03/security-releases/https://docs.djangoproject.com/en/dev/releases/security/https://docs.djangoproject.com/en/dev/releases/2.2.2/https://docs.djangoproject.com/en/dev/releases/2.1.9/https://docs.djangoproject.com/en/dev/releases/1.11.21/http://www.openwall.com/lists/oss-security/2019/06/03/2 http://www.securityfocus.com/bid/108559 https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html https://usn.ubuntu.com/4043-1/https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html https://www.debian.org/security/2019/dsa-4476 https://seclists.org/bugtraq/2019/Jul/10 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html https://security.gentoo.org/glsa/202004-17 https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/https://usn.ubuntu.com/4043-1/https://nvd.nist.gov

CVE-2019-12308

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect