VDB
PYSEC-2020-32
PYSEC-2020-32
PUBLISHED
CVSS 9.300000190734863 CRITICAL
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | django | 2.2.10, 2.2, 3.0 |
Timeline
- Jun 3, 2020 CVE Published
- Dec 6, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
References
- https://www.djangoproject.com/weblog/2020/jun/03/security-releases/ article
- https://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ url
- https://docs.djangoproject.com/en/3.0/releases/security/ url
- https://security.netapp.com/advisory/ntap-20200611-0002/ advisory
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/ url
- https://www.oracle.com/security-alerts/cpujan2021.html url
- https://github.com/advisories/GHSA-2m34-jcjv-45xf advisory
- https://usn.ubuntu.com/4381-1/ advisory
- https://usn.ubuntu.com/4381-2/ advisory
- https://www.debian.org/security/2020/dsa-4705 advisory