Vulnerability Details : CVE-2019-12308
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-12308
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12308
2.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12308
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-12308
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12308
-
https://docs.djangoproject.com/en/dev/releases/1.11.21/
Django 1.11.21 release notes | Django documentation | DjangoVendor Advisory
-
http://www.securityfocus.com/bid/108559
Django CVE-2019-12308 Cross Site Scripting Vulnerability
-
https://security.gentoo.org/glsa/202004-17
Django: Multiple vulnerabilities (GLSA 202004-17) — Gentoo security
-
https://www.debian.org/security/2019/dsa-4476
Debian -- Security Information -- DSA-4476-1 python-django
-
https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html
[SECURITY] [DLA 1842-1] python-django security update
-
https://usn.ubuntu.com/4043-1/
USN-4043-1: Django vulnerabilities | Ubuntu security notices
-
https://seclists.org/bugtraq/2019/Jul/10
Bugtraq: [SECURITY] [DSA 4476-1] python-django security update
-
https://docs.djangoproject.com/en/dev/releases/2.2.2/
Django 2.2.2 release notes | Django documentation | DjangoVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
[security-announce] openSUSE-SU-2019:1872-1: moderate: Security update f
-
https://docs.djangoproject.com/en/dev/releases/security/
Archive of security issues | Django documentation | DjangoVendor Advisory
-
https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8
Django security releases issued: 2.2.2, 2.1.9 and 1.11.21 - Google GroepenMailing List;Vendor Advisory
-
https://docs.djangoproject.com/en/dev/releases/2.1.9/
Django 2.1.9 release notes | Django documentation | DjangoVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/
[SECURITY] Fedora 30 Update: python-django-2.1.9-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html
[SECURITY] [DLA 1814-1] python-django security update
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
[security-announce] openSUSE-SU-2019:1839-1: moderate: Security update f
-
http://www.openwall.com/lists/oss-security/2019/06/03/2
oss-security - Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)Mailing List;Third Party Advisory
-
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
Django security releases issued: 2.2.2, 2.1.9 and 1.11.21 | Weblog | DjangoVendor Advisory
Jump to