{"id":"CVE-2019-12308","details":"An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.","aliases":["GHSA-7rp2-fm2h-wchj","PYSEC-2019-79"],"modified":"2026-04-10T04:15:29.334515Z","published":"2019-06-03T17:29:01.213Z","related":["SUSE-SU-2019:2034-1","SUSE-SU-2019:2257-1","SUSE-SU-2019:2335-1","SUSE-SU-2024:2817-1","openSUSE-SU-2019:1839-1","openSUSE-SU-2019:1872-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/"},{"type":"WEB","url":"https://usn.ubuntu.com/4043-1/"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Jul/10"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"type":"WEB","url":"http://www.securityfocus.com/bid/108559"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"type":"WEB","url":"https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202004-17"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/06/03/2"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/dev/releases/1.11.21/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4476"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/dev/releases/2.1.9/"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/dev/releases/2.2.2/"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2019/jun/03/security-releases/"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/dev/releases/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"c669cf279ae7b3e02a61db4fb077030a4db80e4f"},{"fixed":"bc1f79d0a01d085500aa82ff29800403291a91a4"},{"introduced":"df591468251ed489a3e147d7c359f387f4effe66"},{"fixed":"60ebd195c99884e0cf0aee721839119079bb3046"},{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"9400c96b209855d7b97e3223e4b8ba7751c357cc"}],"database_specific":{"versions":[{"introduced":"1.11"},{"fixed":"1.11.21"},{"introduced":"2.1"},{"fixed":"2.1.9"},{"introduced":"2.2"},{"fixed":"2.2.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12308.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}