VDB
PYSEC-2019-79
PYSEC-2019-79
PUBLISHED
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | django | 2.1, 1.11, 2.2 |
Timeline
- Jun 3, 2019 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases/ article
- https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8 url
- https://docs.djangoproject.com/en/dev/releases/security/ url
- https://docs.djangoproject.com/en/dev/releases/2.2.2/ url
- https://docs.djangoproject.com/en/dev/releases/2.1.9/ url
- https://docs.djangoproject.com/en/dev/releases/1.11.21/ url
- http://www.openwall.com/lists/oss-security/2019/06/03/2 url
- http://www.securityfocus.com/bid/108559 url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/ url
- https://seclists.org/bugtraq/2019/Jul/10 url
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html url
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html url
- https://github.com/advisories/GHSA-7rp2-fm2h-wchj advisory
- https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html advisory
- https://usn.ubuntu.com/4043-1/ advisory
- https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html advisory
- https://www.debian.org/security/2019/dsa-4476 advisory
- https://security.gentoo.org/glsa/202004-17 advisory