ASA-2019-00310 – Django: AdminURLFieldWidget Cross-Site Scripting (XSS)

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00310

Identifier(s)

ASA-2019-00310, CVE-2019-12308

Title

AdminURLFieldWidget Cross-Site Scripting (XSS)

Vendor(s)

Django Software Foundation

Product(s)

Django

Affected version(s)

Django 2.2 before version 2.2.2
Django 2.1 before version 2.1.9
Django 1.11 before version 1.11.21

Fixed version(s)

Django 2.2.2
Django 2.1.9
Django 1.11.21

Proof of concept

Unknown

Description

The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

Technical details

Unknown

Credits

Unknown

Reference(s)

Django security releases issued: 2.2.2, 2.1.9 and 1.11.21
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/

Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – master branch
https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008

Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – 2.2 release branch
https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673

Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – 2.1 release branch
https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62

Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – 1.11 release branch
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b

Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
https://seclists.org/oss-sec/2019/q2/138

CVE-2019-12308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308

CVE-2019-12308
https://nvd.nist.gov/vuln/detail/CVE-2019-12308

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.