[Bug 1212058] [NEW] Cross-site scripting (XSS) in admin interface
Chris Johnston
chris.johnston at canonical.com
Wed Aug 14 01:09:29 UTC 2013
*** This bug is a security vulnerability ***
Public security bug reported:
"When displaying the value of a URLField -- a model field type for
storing URLs -- this interface treated the values of such fields as
safe, thus failing to properly accommodate the potential for dangerous
values. A proof-of-concept application has been provided to the Django
project, showing how this can be exploited to perform XSS in the
administrative interface."
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
issued/
** Affects: python-django (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1212058
Title:
Cross-site scripting (XSS) in admin interface
Status in “python-django” package in Ubuntu:
New
Bug description:
"When displaying the value of a URLField -- a model field type for
storing URLs -- this interface treated the values of such fields as
safe, thus failing to properly accommodate the potential for dangerous
values. A proof-of-concept application has been provided to the Django
project, showing how this can be exploited to perform XSS in the
administrative interface."
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
issued/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1212058/+subscriptions
More information about the foundations-bugs
mailing list