Описание
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related pop-up. Element.textContent is now used to prevent XSS data execution.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.3 | Django | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse) | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools | python-django | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Not affected | ||
| Red Hat OpenStack Platform 9 (Mitaka) | python-django | Not affected | ||
| Red Hat Subscription Asset Manager | Django | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-django | Fixed | RHSA-2016:1595 | 11.08.2016 |
| Red Hat OpenStack Platform 8.0 (Liberty) | python-django | Fixed | RHSA-2016:1596 | 11.08.2016 |
| Red Hat OpenStack Platform 8.0 Operational Tools for RHEL 7 | python-django | Fixed | RHSA-2016:1594 | 10.08.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Связанные уязвимости
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedOb ...
EPSS
6.1 Medium
CVSS3
4.3 Medium
CVSS2