CVE-2015-2241
Published: 12 March 2015
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Notes
Author | Note |
---|---|
mdeslaur | only affects 1.7.x |
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
|
precise |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
upstream |
Released
(1.7.6-1)
|
|
utopic |
Not vulnerable
|
|
Patches: upstream: https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5 upstream: https://github.com/django/django/commit/35d68e8e766217924375e1a91533fee50159291c |