FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Django -- AdminURLFieldWidget XSS

Affected packages
py27-django111 < 1.11.21
py35-django111 < 1.11.21
py36-django111 < 1.11.21
py37-django111 < 1.11.21
py35-django21 < 2.1.9
py36-django21 < 2.1.9
py37-django21 < 2.1.9
py35-django22 < 2.2.2
py36-django22 < 2.2.2
py37-django22 < 2.2.2

Details

VuXML ID ffc73e87-87f0-11e9-ad56-fcaa147e860e
Discovery 2019-06-03
Entry 2019-06-06

Django security releases issued:

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link..

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

References

CVE Name CVE-2019-11358
CVE Name CVE-2019-12308
URL https://www.djangoproject.com/weblog/2019/jun/03/security-releases/