Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

author: Jon Dufresne <jon.dufresne@gmail.com> 2020-05-26 09:51:02 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-06-03 09:23:00 +0200
commit: 2dd4d110c159d0c81dff42eaead2c378a0998735 (patch)
tree: 882d7a84a709dbc73e63c684bdbcdf2449d7dec1 /docs/releases
parent: 81dc710571b773557170cce9764fff83b6dfd8ae (diff)
2 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt
index 2e149a1f18..ee381fdcce 100644
--- a/docs/releases/2.2.13.txt
+++ b/docs/releases/2.2.13.txt
@@ -6,6 +6,13 @@ Django 2.2.13 release notes
 
 Django 2.2.13 fixes two security issues and a regression in 2.2.12.
 
+CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
+================================================================
+
+Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
+encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
+ensures query parameters are correctly URL encoded.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/3.0.7.txt b/docs/releases/3.0.7.txt
index f1775b3471..51ac0d7edd 100644
--- a/docs/releases/3.0.7.txt
+++ b/docs/releases/3.0.7.txt
@@ -6,6 +6,13 @@ Django 3.0.7 release notes
 
 Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
 
+CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
+================================================================
+
+Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
+encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
+ensures query parameters are correctly URL encoded.
+
 Bugfixes
 ========
author	Jon Dufresne <jon.dufresne@gmail.com>	2020-05-26 09:51:02 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-06-03 09:23:00 +0200
commit	2dd4d110c159d0c81dff42eaead2c378a0998735 (patch)
tree	882d7a84a709dbc73e63c684bdbcdf2449d7dec1 /docs/releases
parent	81dc710571b773557170cce9764fff83b6dfd8ae (diff)