CVE-2020-13596

Опубликовано: 03 июн. 2020

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

Ссылки

https://docs.djangoproject.com/en/3.0/releases/security/
Release Notes
Vendor Advisory
https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
https://security.netapp.com/advisory/ntap-20200611-0002/
Third Party Advisory
https://usn.ubuntu.com/4381-1/
Third Party Advisory
https://usn.ubuntu.com/4381-2/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4705
Third Party Advisory
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Release Notes
Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Patch
Third Party Advisory
https://docs.djangoproject.com/en/3.0/releases/security/
Release Notes
Vendor Advisory
https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
https://security.netapp.com/advisory/ntap-20200611-0002/
Third Party Advisory
https://usn.ubuntu.com/4381-1/
Third Party Advisory
https://usn.ubuntu.com/4381-2/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4705
Third Party Advisory
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Release Notes
Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 2.2 (включая) до 2.2.13 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 3.0 (включая) до 3.0.7 (исключая)

Конфигурация 2

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:netapp:sra_plugin:-:*:*:*:*:linux:*:*

cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Конфигурация 6

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

EPSS

Процентиль: 77%

0.0108

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-13596

CVSS3: 6.1

ubuntu

около 5 лет назад

CVE-2020-13596

CVSS3: 6.5

redhat

около 5 лет назад

CVE-2020-13596

CVSS3: 6.1

debian

около 5 лет назад

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0 ...

GHSA-2m34-jcjv-45xf

CVSS3: 6.1

github

около 5 лет назад

XSS in Django

BDU:2021-00719

fstec

около 5 лет назад

Уязвимость реализации функции ForeignKeyRawIdWidget библиотеки Django, позволяющая нарушителю проводить межсайтовые сценарные атаки

EPSS

Процентиль: 77%

0.0108

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79