BIT-django-2020-13596

BIT-django-2020-13596 PUBLISHED CVSS 6.099999904632568 MEDIUM

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

Risk Scores

CVSS v3.1

6.099999904632568

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Bitnami	django	2.2.0, 3.0.0, 2.2.0

Timeline

Mar 6, 2024 CVE Published
Apr 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://docs.djangoproject.com/en/3.0/releases/security/ url
https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/ url
https://security.netapp.com/advisory/ntap-20200611-0002/ url
https://usn.ubuntu.com/4381-1/ url
https://usn.ubuntu.com/4381-2/ url
https://www.debian.org/security/2020/dsa-4705 url
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/ url
https://www.oracle.com/security-alerts/cpujan2021.html url
https://nvd.nist.gov/vuln/detail/CVE-2020-13596 url

Open in Interactive Console →