CVE-2019-12308

MEDIUM6.1EPSS 1.6%

python-django - security update

發布日:2019/6/10修改日:2026/4/28

描述

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

受影響套件(7)

Alpine/py3-djangofrom 0, < 1.11.21-r0
Alpine/py-djangofrom 0, < 1.11.21-r0
Debian/python-djangofrom 0, < 1:1.10.7-2+deb9u5
Debian/python-djangofrom 0, < 1.7.11-1+deb8u5
Debian/python-djangofrom 0, < 1:1.11.21-1
PyPI/django>= 1.11a1, < 1.11.21
PyPI/django>= 2.1, < 2.1.9, >= 1.11, < 1.11.21, >= 2.2, < 2.2.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

描述

受影響套件(7)

CVSS 分數

參考連結(33)