CVE-2019-12308

CVE-2019-12308

Name

CVE-2019-12308

Description

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
Mailing List	https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8
Vendor Advisory	https://docs.djangoproject.com/en/dev/releases/security/
Vendor Advisory	https://docs.djangoproject.com/en/dev/releases/2.2.2/
Vendor Advisory	https://docs.djangoproject.com/en/dev/releases/2.1.9/
Vendor Advisory	https://docs.djangoproject.com/en/dev/releases/1.11.21/
Mailing List	http://www.openwall.com/lists/oss-security/2019/06/03/2
BID	http://www.securityfocus.com/bid/108559
MLIST	https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/
UBUNTU	https://usn.ubuntu.com/4043-1/
MLIST	https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html
DEBIAN	https://www.debian.org/security/2019/dsa-4476
BUGTRAQ	https://seclists.org/bugtraq/2019/Jul/10
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
GENTOO	https://security.gentoo.org/glsa/202004-17

Type

URI

Vendor Advisory

https://www.djangoproject.com/weblog/2019/jun/03/security-releases/

Mailing List

https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8

Vendor Advisory

https://docs.djangoproject.com/en/dev/releases/security/

Vendor Advisory

https://docs.djangoproject.com/en/dev/releases/2.2.2/

Vendor Advisory

https://docs.djangoproject.com/en/dev/releases/2.1.9/

Vendor Advisory

https://docs.djangoproject.com/en/dev/releases/1.11.21/

Mailing List

http://www.openwall.com/lists/oss-security/2019/06/03/2

BID

http://www.securityfocus.com/bid/108559

MLIST

https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/

UBUNTU

https://usn.ubuntu.com/4043-1/

MLIST

https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html

DEBIAN

https://www.debian.org/security/2019/dsa-4476

BUGTRAQ

https://seclists.org/bugtraq/2019/Jul/10

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

GENTOO

https://security.gentoo.org/glsa/202004-17

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:djangoproject:django::::::::`	django	>= 2.2	< 2.2.2
`cpe:2.3:a:djangoproject:django::::::::`	django	>= 1.11	< 1.11.21
`cpe:2.3:a:djangoproject:django::::::::`	django	>= 2.1	< 2.1.9

CPE URI

Source package

Min version

Max version

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

django

>= 2.2

< 2.2.2

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

django

>= 1.11

< 1.11.21

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

django

>= 2.1

< 2.1.9

References

Match rules

Vulnerable and fixed packages