CVE-2019-12308: XSS
First published: Mon Jun 03 2019(Updated: )
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Djangoproject Django | >=1.11<1.11.21 | |
| Djangoproject Django | >=2.1<2.1.9 | |
| Djangoproject Django | >=2.2<2.2.2 | |
| debian/python-django | 2:2.2.28-1~deb11u2 3:3.2.19-1+deb12u1 3:4.2.16-1 | |
| pip/Django | >=2.2a1<2.2.2 | 2.2.2 |
| pip/Django | >=2.1a1<2.1.9 | 2.1.9 |
| pip/Django | >=1.11a1<1.11.21 | 1.11.21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- http://www.openwall.com/lists/oss-security/2019/06/03/2
- http://www.securityfocus.com/bid/108559
- https://docs.djangoproject.com/en/dev/releases/1.11.21/
- https://docs.djangoproject.com/en/dev/releases/2.1.9/
- https://docs.djangoproject.com/en/dev/releases/2.2.2/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8
- https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/
- https://seclists.org/bugtraq/2019/Jul/10
- https://security.gentoo.org/glsa/202004-17
- https://usn.ubuntu.com/4043-1/
- https://www.debian.org/security/2019/dsa-4476
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
- https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8
- https://launchpad.net/bugs/cve/CVE-2019-12308
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/
- https://nvd.nist.gov/vuln/detail/CVE-2019-12308
- https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62
- https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
- https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
- https://docs.djangoproject.com/en/dev/releases/1.11.21
- https://docs.djangoproject.com/en/dev/releases/2.1.9
- https://docs.djangoproject.com/en/dev/releases/2.2.2
- https://docs.djangoproject.com/en/dev/releases/security
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases
- https://github.com/advisories/GHSA-7rp2-fm2h-wchj (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
- https://security-tracker.debian.org/tracker/CVE-2019-12308
- https://ubuntu.com/security/CVE-2019-12308
- https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008
- https://usn.ubuntu.com/4043-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml
Frequently Asked Questions
What is the severity of CVE-2019-12308?
The severity of CVE-2019-12308 is medium with a severity value of 6.1.
Which versions of Django are affected by CVE-2019-12308?
Django versions 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2 are affected by CVE-2019-12308.
What is the remedy for CVE-2019-12308?
To fix CVE-2019-12308, upgrade Django to version 2.2.2, 2.1.9, or 1.11.21 depending on the version currently installed.
Where can I find more information about CVE-2019-12308?
You can find more information about CVE-2019-12308 on the NIST National Vulnerability Database (NVD), the Openwall OSS Security mailing list, and the Django official documentation.
What is the CWE classification for CVE-2019-12308?
CVE-2019-12308 is classified under CWE-79, which is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- agent/remedy
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/first-publish-date
- agent/event
- collector/security-tracker-debian
- source/Debian
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7rp2-fm2h-wchj
- alias/CVE-2019-12308
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- collector/github-advisory
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.11
- version/djangoproject django/2.1
- version/djangoproject django/2.2
- package-manager/debian
- package-manager/pip