CVE-2019-12308
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-12308
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12308.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-12308
- Aliases
- Related
- Published
- 2019-06-03T17:29:01Z
- Modified
- 2024-09-18T03:02:01.562397Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
- References
-
- https://docs.djangoproject.com/en/dev/releases/1.11.21/
- https://docs.djangoproject.com/en/dev/releases/2.1.9/
- https://docs.djangoproject.com/en/dev/releases/2.2.2/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://security.gentoo.org/glsa/202004-17
- https://www.debian.org/security/2019/dsa-4476
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
- http://www.openwall.com/lists/oss-security/2019/06/03/2
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- http://www.securityfocus.com/bid/108559
- https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8
- https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/
- https://seclists.org/bugtraq/2019/Jul/10
- https://usn.ubuntu.com/4043-1/
- https://security.alpinelinux.org/vuln/CVE-2019-12308
- https://security-tracker.debian.org/tracker/CVE-2019-12308
Affected packages
Alpine:v3.10 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.11.21-r0
Affected versions
1.*
1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.20-r1
Alpine:v3.11 / py3-django
Package
- Name
- py3-django
- Purl
- pkg:apk/alpine/py3-django?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.11.21-r0
Affected versions
1.*
1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.20-r1
Alpine:v3.12 / py3-django
Package
- Name
- py3-django
- Purl
- pkg:apk/alpine/py3-django?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.11.21-r0
Affected versions
1.*
1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.20-r1
Alpine:v3.7 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.11.21-r0
Affected versions
1.*
1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.11-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
Alpine:v3.8 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.11.21-r0
Affected versions
1.*
1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
Alpine:v3.9 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.11.21-r0
Affected versions
1.*
1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
Debian:11 / python-django
Package
- Name
- python-django
- Purl
- pkg:deb/debian/python-django?arch=source
Debian:12 / python-django
Package
- Name
- python-django
- Purl
- pkg:deb/debian/python-django?arch=source
Debian:13 / python-django
Package
- Name
- python-django
- Purl
- pkg:deb/debian/python-django?arch=source