search

Fueled / django-init

Project template used at Fueled for scaffolding new Django based projects. :dizzy:
Other
189 stars 46 forks source link

Upgrade Django to 2.1.9 or later #359

Closed CuriousLearner closed 5 years ago

CuriousLearner commented 5 years ago

CVE-2019-12308 moderate severity Vulnerable versions: >= 2.1.0, < 2.1.9 Patched version: 2.1.9

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in a clickable JavaScript link.