VDB

ALPINE-CVE-2019-12308

ALPINE-CVE-2019-12308 PUBLISHED CVSS 6.099999904632568 MEDIUM

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

Risk Scores

CVSS v3.0
6.099999904632568
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products

VendorProductVersions
Alpine:v3.11py3-django1.8.8-r0, 1.8.7-r0, 1.8.6-r0
Alpine:v3.12py3-django0, 1.10.5-r0, 1.10.7-r0
Alpine:v3.7py-django0, 0, 1.10.7-r0
Alpine:v3.9py-django1.5.7-r0, 1.11.20-r0, 1.2.5-r0
Alpine:v3.10py-django1.8.14-r0, 1.8.7-r0, 1.8.6-r0
Alpine:v3.8py-django1.8.8-r0, 1.8.7-r0, 1.8.6-r0

Timeline

  • Jun 3, 2019 CVE Published
  • Nov 19, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›