mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 10:59:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

Browse source
This commit is contained in:
Jon Dufresne 2020-05-26 09:51:02 +02:00 committed by Carlton Gibson
parent 81dc710571
commit 2dd4d110c1
5 changed files with 36 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/releases/2.2.13.txt
View file

@ -6,6 +6,13 @@ Django 2.2.13 release notes
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.
Bugfixes
========

7
docs/releases/3.0.7.txt
View file

@ -6,6 +6,13 @@ Django 3.0.7 release notes
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.
Bugfixes
========