CVE-2020-13596
MEDIUM6.1EPSS 0.57%XSS in Django
Published: 6/5/2020Modified: 9/20/2024
Description
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
Affected packages (4)
- Bitnami/django>= 2.2.0, < 2.2.13, >= 3.0.0, < 3.0.7
- Debian/python-djangofrom 0, < 2:2.2.13-1
- PyPI/django>= 2.2a1, < 2.2.13
- PyPI/django>= 2.2, < 2.2.13, >= 3.0, < 3.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (24)
- ADVISORYhttps://github.com/advisories/GHSA-2m34-jcjv-45xf
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13596
- ADVISORYhttps://security.netapp.com/advisory/ntap-20200611-0002/
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-13596
- ADVISORYhttps://www.djangoproject.com/weblog/2020/jun/03/security-releases/
- PATCHhttps://github.com/django/django
- WEBhttps://docs.djangoproject.com/en/3.0/releases/security
- WEBhttps://docs.djangoproject.com/en/3.0/releases/security/
- WEBhttps://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38
- WEBhttps://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-32.yaml
- WEBhttps://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
- WEBhttps://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- WEBhttps://security.netapp.com/advisory/ntap-20200611-0002
- WEBhttps://usn.ubuntu.com/4381-1
- WEBhttps://usn.ubuntu.com/4381-1/
- WEBhttps://usn.ubuntu.com/4381-2
- WEBhttps://usn.ubuntu.com/4381-2/
- WEBhttps://www.debian.org/security/2020/dsa-4705
- WEBhttps://www.djangoproject.com/weblog/2020/jun/03/security-releases
- WEBhttps://www.oracle.com/security-alerts/cpujan2021.html