summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJon Dufresne <jon.dufresne@gmail.com>2020-05-26 09:51:02 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2020-06-03 09:32:35 +0200
commit1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 (patch)
tree5bfe03d368a683e3b08504de32a14d3d309f7f8b /docs
parent256d29710193f7a2f1e92abe96c94d036f73edc6 (diff)
[3.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.13.txt7
-rw-r--r--docs/releases/3.0.7.txt7
2 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt
index 2e149a1f18..ee381fdcce 100644
--- a/docs/releases/2.2.13.txt
+++ b/docs/releases/2.2.13.txt
@@ -6,6 +6,13 @@ Django 2.2.13 release notes
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
+CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
+================================================================
+
+Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
+encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
+ensures query parameters are correctly URL encoded.
+
Bugfixes
========
diff --git a/docs/releases/3.0.7.txt b/docs/releases/3.0.7.txt
index f1775b3471..51ac0d7edd 100644
--- a/docs/releases/3.0.7.txt
+++ b/docs/releases/3.0.7.txt
@@ -6,6 +6,13 @@ Django 3.0.7 release notes
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
+CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
+================================================================
+
+Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
+encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
+ensures query parameters are correctly URL encoded.
+
Bugfixes
========