Описание
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
A flaw was found in Django, where the query parameters for the admin widget ForeignKeyRawIdWidget were not properly URL encoded. This flaw allows an attacker to perform a Cross-site scripting (XSS) attack. The highest threat from this vulnerability is to confidentiality.
Отчет
The following products ship the flawed code, however they do not make use of ForeignKeyRawIdWidget and are therefore not vulnerable to this flaw:
- Red Hat Satellite 6
- Red Hat Update Infrastructure 3
- Red Hat OpenStack Platform 13, 15, & 16
- Red Hat Gluster Storage 3 The version of python-django shipped with Red Hat Ceph Storage(RHCS) was used with calamari and graphite which are no more supported, hence the django package will not be fixed for RHCS.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | python-django | Out of support scope | ||
| Red Hat Ceph Storage 3 | python-django | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-django | Fix deferred | ||
| Red Hat OpenStack Platform 15 (Stein) | python-django | Fix deferred | ||
| Red Hat OpenStack Platform 15 (Stein) | python-django20 | Out of support scope | ||
| Red Hat OpenStack Platform 16 (Train) | python-django | Fix deferred | ||
| Red Hat Satellite 6 | python-django | Will not fix | ||
| Red Hat Storage 3 | python-django | Affected | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-django | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0 ...
Уязвимость реализации функции ForeignKeyRawIdWidget библиотеки Django, позволяющая нарушителю проводить межсайтовые сценарные атаки
EPSS
6.5 Medium
CVSS3