diff options
| author | Jon Dufresne <jon.dufresne@gmail.com> | 2020-05-26 09:51:02 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-06-03 09:33:38 +0200 |
| commit | 6d61860b22875f358fac83d903dc629897934815 (patch) | |
| tree | e1d8bf6910f281a136c350def0a9a343cef8d6b0 /docs | |
| parent | 7e1084ead07b10e36d391f5366f411c58fbcc4c2 (diff) | |
[2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.2.13.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt index 2e149a1f18..ee381fdcce 100644 --- a/docs/releases/2.2.13.txt +++ b/docs/releases/2.2.13.txt @@ -6,6 +6,13 @@ Django 2.2.13 release notes Django 2.2.13 fixes two security issues and a regression in 2.2.12. +CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` +================================================================ + +Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL +encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now +ensures query parameters are correctly URL encoded. + Bugfixes ======== |