CVE-2020-13596

moderate-risk

Published 2020-06-03

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

Do I need to act?

0.99% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (12)

Django

Fedora

Ubuntu Linux

Sra Plugin

Steelstore Cloud Integrated Storage

Debian Linux

Zfs Storage Appliance Kit

Affected Vendors

Debian Oracle Canonical Fedoraproject Netapp Djangoproject

References (18)

Release Notes https://docs.djangoproject.com/en/3.0/releases/security/

https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.netapp.com/advisory/ntap-20200611-0002/

Third Party Advisory https://usn.ubuntu.com/4381-1/

Third Party Advisory https://usn.ubuntu.com/4381-2/

Third Party Advisory https://www.debian.org/security/2020/dsa-4705

Release Notes https://www.djangoproject.com/weblog/2020/jun/03/security-releases/

Patch https://www.oracle.com/security-alerts/cpujan2021.html