GHSA-x9jp-4w8m-4f3c

Опубликовано: 10 июн. 2022

Источник: github

Github: Прошло ревью

Описание

Cross Site Scripting vulnerability in django-jsonform's admin form.

Description

django-jsonform stores the raw JSON data of the db field in a hidden textarea on the admin page. However, that data was kept in the textarea after unescaping it using the safe template filter. This opens up possibilities for XSS attacks.

This only affects the admin pages where the django-jsonform is rendered.

Mitigation

Upgrade to django-jsonform version 2.10.1 or later.

For more information

If you have any questions or comments about this advisory:

Open an issue.
Email the maintainer at Bharat Chauhan <tell.bhch@gmail.com>.

Ссылки

https://github.com/bhch/django-jsonform/security/advisories/GHSA-x9jp-4w8m-4f3c

Пакеты

Наименование

django-jsonform

pip

Затронутые версииВерсия исправления

< 2.10.1

2.10.1

Дефекты

CWE-79

CWE-80

Дефекты

CWE-79

CWE-80