[Bug 1212058] [NEW] Cross-site scripting (XSS) in admin interface

Chris Johnston chris.johnston at canonical.com
Wed Aug 14 01:09:29 UTC 2013


*** This bug is a security vulnerability ***

Public security bug reported:

"When displaying the value of a URLField -- a model field type for
storing URLs -- this interface treated the values of such fields as
safe, thus failing to properly accommodate the potential for dangerous
values. A proof-of-concept application has been provided to the Django
project, showing how this can be exploited to perform XSS in the
administrative interface."

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
issued/

** Affects: python-django (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1212058

Title:
  Cross-site scripting (XSS) in admin interface

Status in “python-django” package in Ubuntu:
  New

Bug description:
  "When displaying the value of a URLField -- a model field type for
  storing URLs -- this interface treated the values of such fields as
  safe, thus failing to properly accommodate the potential for dangerous
  values. A proof-of-concept application has been provided to the Django
  project, showing how this can be exploited to perform XSS in the
  administrative interface."

  https://www.djangoproject.com/weblog/2013/aug/13/security-releases-
  issued/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1212058/+subscriptions




More information about the foundations-bugs mailing list