mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-26 07:06:08 +00:00
Code Issues 32 Releases Wiki Activity

[3.1.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

Browse Source
This commit is contained in:
Jon Dufresne
2020-05-26 09:51:02 +02:00
committed by Carlton Gibson
parent 0186b43073
commit 49d7cc19e3
5 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/releases/2.2.13.txt
View File

@@ -6,6 +6,13 @@ Django 2.2.13 release notes
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.
Bugfixes
========

7
docs/releases/3.0.7.txt
View File

@@ -6,6 +6,13 @@ Django 3.0.7 release notes
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.
Bugfixes
========