Source: python-django Version: 1:1.11.21-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2:2.2.1-1 Control: found -1 1:1.10.7-2+deb9u4 Control: found -1 1:1.10.7-1
Hi, The following vulnerability was published for python-django. CVE-2019-12308[0]: | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before | 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed | by the AdminURLFieldWidget displays the provided value without | validating it as a safe URL. Thus, an unvalidated value stored in the | database, or a value provided as a URL query parameter payload, could | result in an clickable JavaScript link. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308 [1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
