GHSA-2m34-jcjv-45xf

Source

https://github.com/advisories/GHSA-2m34-jcjv-45xf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-2m34-jcjv-45xf/GHSA-2m34-jcjv-45xf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2m34-jcjv-45xf

Aliases

Published

2020-06-05T16:24:28Z

Modified

2024-09-20T15:46:33.021684Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

XSS in Django

Details

An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

Database specific

{
    "nvd_published_at": "2020-06-03T14:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2020-06-04T18:32:57Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2a1

Fixed

2.2.13

Affected versions

2.*

2.2a1

2.2b1

2.2rc1

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0a1

Fixed

3.0.7

Affected versions

3.*

3.0a1

3.0b1

3.0rc1

3.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6