[Python-modules-team] Bug#931316: python-django: CVE-2019-12308: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Salvatore Bonaccorso
carnil at debian.org
Mon Jul 1 19:36:06 BST 2019
Source: python-django
Version: 1:1.11.21-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2:2.2.1-1
Control: found -1 1:1.10.7-2+deb9u4
Control: found -1 1:1.10.7-1
Hi,
The following vulnerability was published for python-django.
CVE-2019-12308[0]:
| An issue was discovered in Django 1.11 before 1.11.21, 2.1 before
| 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed
| by the AdminURLFieldWidget displays the provided value without
| validating it as a safe URL. Thus, an unvalidated value stored in the
| database, or a value provided as a URL query parameter payload, could
| result in an clickable JavaScript link.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
[1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Python-modules-team
mailing list