Allele Security Alert
ASA-2019-00310
Identifier(s)
ASA-2019-00310, CVE-2019-12308
Title
AdminURLFieldWidget Cross-Site Scripting (XSS)
Vendor(s)
Django Software Foundation
Product(s)
Django
Affected version(s)
Django 2.2 before version 2.2.2
Django 2.1 before version 2.1.9
Django 1.11 before version 1.11.21
Fixed version(s)
Django 2.2.2
Django 2.1.9
Django 1.11.21
Proof of concept
Unknown
Description
The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.
Technical details
Unknown
Credits
Unknown
Reference(s)
Django security releases issued: 2.2.2, 2.1.9 and 1.11.21
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – master branch
https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008
Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – 2.2 release branch
https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – 2.1 release branch
https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62
Fixed CVE-2019-12308 — Made AdminURLFieldWidget validate URL before rendering clickable link – 1.11 release branch
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
https://seclists.org/oss-sec/2019/q2/138
CVE-2019-12308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
CVE-2019-12308
https://nvd.nist.gov/vuln/detail/CVE-2019-12308
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 3, 2019