CVE-2015-2241

Published: 12 March 2015

Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.

Priority

Medium

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
Upstream
Released (1.7.6-1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5 (1.7)
Upstream: https://github.com/django/django/commit/35d68e8e766217924375e1a91533fee50159291c (1.8)