From 2dd4d110c159d0c81dff42eaead2c378a0998735 Mon Sep 17 00:00:00 2001 From: Jon Dufresne Date: Tue, 26 May 2020 09:51:02 +0200 Subject: Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. --- docs/releases/2.2.13.txt | 7 +++++++ docs/releases/3.0.7.txt | 7 +++++++ 2 files changed, 14 insertions(+) (limited to 'docs') diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt index 2e149a1f18..ee381fdcce 100644 --- a/docs/releases/2.2.13.txt +++ b/docs/releases/2.2.13.txt @@ -6,6 +6,13 @@ Django 2.2.13 release notes Django 2.2.13 fixes two security issues and a regression in 2.2.12. +CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` +================================================================ + +Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL +encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now +ensures query parameters are correctly URL encoded. + Bugfixes ======== diff --git a/docs/releases/3.0.7.txt b/docs/releases/3.0.7.txt index f1775b3471..51ac0d7edd 100644 --- a/docs/releases/3.0.7.txt +++ b/docs/releases/3.0.7.txt @@ -6,6 +6,13 @@ Django 3.0.7 release notes Django 3.0.7 fixes two security issues and several bugs in 3.0.6. +CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` +================================================================ + +Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL +encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now +ensures query parameters are correctly URL encoded. + Bugfixes ======== -- cgit v1.3