CVE-2020-13596
MEDIUMDjango 2.2-2.2.13 - Cross-Site Scripting via ForeignKeyRawIdWidget Query Parameters
Title source: llmDescription
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4381-1/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4381-2/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4705
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Release Notes, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/3.0/releases/security/
Release Notes, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200611-0002/
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
Scores
CVSS v3
6.1
EPSS
0.0081
EPSS Percentile
74.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (13)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.10
canonical/ubuntu_linux
20.04
debian/debian_linux
9.0
debian/debian_linux
10.0
djangoproject/django
2.2 - 2.2.13
fedoraproject/fedora
32
netapp/sra_plugin
... and 3 more
Published
Jun 03, 2020
Tracked Since
Feb 18, 2026