Описание
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
A validation flaw was found in Django's AdminURLFieldWidget. The clickable Current URL link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. An unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in a clickable JavaScript link.
Отчет
- This issue affects the version of python-django as shipped with Red Hat Gluster Storage 3 as it contains the vulnerable code.
- This issue does not affect Red Hat Satellite 6, versions 6.3, 6.4 and 6.5, because its django component only returns content-type as JSON, which does not lead to cross site scripting.
- This issue does not affect Red Hat Update Infrastructure 3 because it does not use any of the Widgets provided by python-django, including AdminURLFieldWidget.
- This issue does not affect redhat-certification because it does not use AdminURLFieldWidget from python-django package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | python-django | Not affected | ||
| Red Hat Ceph Storage 3 | python-django | Not affected | ||
| Red Hat Certification for Red Hat Enterprise Linux 7 | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools | python-django | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-django | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | python-django | Affected | ||
| Red Hat OpenStack Platform 15 (Stein) | python-django | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | python-django | Not affected |
Показывать по
Дополнительная информация
Статус:
4.7 Medium
CVSS3
Связанные уязвимости
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1. ...
Django Cross-site Scripting in AdminURLFieldWidget
Уязвимость функции AdminURLFieldWidget фреймворка для веб-разработки Django, связанная с отсутствием мер по защите структуры веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных
4.7 Medium
CVSS3