CVE-2019-12308

Name of the Vulnerable Software and Affected Versions Django versions 1.11 through 1.11.20 Django versions 2.1 through 2.1.8 Django versions 2.2 through 2.2.1

Description The issue is related to the AdminURLFieldWidget function in the Django web development framework, which is associated with incorrect restriction of the path name to a directory with limited access. This could allow a remote attacker to impact data integrity. The clickable Current URL value displayed by the AdminURLFieldWidget shows the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in a clickable JavaScript link.

Recommendations For Django versions 1.11 through 1.11.20, update to version 1.11.21 or later. For Django versions 2.1 through 2.1.8, update to version 2.1.9 or later. For Django versions 2.2 through 2.2.1, update to version 2.2.2 or later. As a temporary workaround, consider disabling the clickable Current URL value displayed by the AdminURLFieldWidget until a patch is available. Restrict access to the AdminURLFieldWidget to minimize the risk of exploitation. Avoid using unvalidated values from the database or URL query parameters in the AdminURLFieldWidget until the issue is resolved.