diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.2.13.txt | 7 | ||||
| -rw-r--r-- | docs/releases/3.0.7.txt | 7 |
2 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt index 2e149a1f18..ee381fdcce 100644 --- a/docs/releases/2.2.13.txt +++ b/docs/releases/2.2.13.txt @@ -6,6 +6,13 @@ Django 2.2.13 release notes Django 2.2.13 fixes two security issues and a regression in 2.2.12. +CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` +================================================================ + +Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL +encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now +ensures query parameters are correctly URL encoded. + Bugfixes ======== diff --git a/docs/releases/3.0.7.txt b/docs/releases/3.0.7.txt index f1775b3471..51ac0d7edd 100644 --- a/docs/releases/3.0.7.txt +++ b/docs/releases/3.0.7.txt @@ -6,6 +6,13 @@ Django 3.0.7 release notes Django 3.0.7 fixes two security issues and several bugs in 3.0.6. +CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` +================================================================ + +Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL +encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now +ensures query parameters are correctly URL encoded. + Bugfixes ======== |
