Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14OWpwLTR3OG0tNGYzY84AArfm

Cross Site Scripting vulnerability in django-jsonform's admin form.

Description

django-jsonform stores the raw JSON data of the db field in a hidden textarea on the admin page. However, that data was kept in the textarea after unescaping it using the safe template filter. This opens up possibilities for XSS attacks.

This only affects the admin pages where the django-jsonform is rendered.

Mitigation

Upgrade to django-jsonform version 2.10.1 or later.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-x9jp-4w8m-4f3c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14OWpwLTR3OG0tNGYzY84AArfm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago


Identifiers: GHSA-x9jp-4w8m-4f3c
References: Repository: https://github.com/bhch/django-jsonform
Blast Radius: 0.0

Affected Packages

pypi:django-jsonform
Dependent packages: 3
Dependent repositories: 5
Downloads: 109,939 last month
Affected Version Ranges: < 2.10.1
Fixed in: 2.10.1
All affected versions: 0.9.0, 1.0.0, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 2.9.0, 2.10.0
All unaffected versions: 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.16.1, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.18.0, 2.19.0, 2.19.1, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.21.4, 2.21.5, 2.22.0