6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
79.7%
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
www.openwall.com/lists/oss-security/2019/06/03/2
docs.djangoproject.com/en/dev/releases/1.11.21
docs.djangoproject.com/en/dev/releases/2.1.9
docs.djangoproject.com/en/dev/releases/2.2.2
docs.djangoproject.com/en/dev/releases/security
github.com/advisories/GHSA-7rp2-fm2h-wchj
github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62
github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8
nvd.nist.gov/vuln/detail/CVE-2019-12308
www.djangoproject.com/weblog/2019/jun/03/security-releases
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
79.7%