Skip to content

Cross Site Scripting vulnerability in django-jsonform's admin form.

High severity GitHub Reviewed Published Jun 10, 2022 in bhch/django-jsonform • Updated Jan 12, 2023

Package

pip django-jsonform (pip)

Affected versions

< 2.10.1

Patched versions

2.10.1

Description

Description

django-jsonform stores the raw JSON data of the db field in a hidden textarea on the admin page. However, that data was kept in the textarea after unescaping it using the safe template filter. This opens up possibilities for XSS attacks.

This only affects the admin pages where the django-jsonform is rendered.

Mitigation

Upgrade to django-jsonform version 2.10.1 or later.

For more information

If you have any questions or comments about this advisory:

  • Open an issue.
  • Email the maintainer at Bharat Chauhan <tell.bhch@gmail.com>.

References

@bhch bhch published to bhch/django-jsonform Jun 10, 2022
Published to the GitHub Advisory Database Jun 10, 2022
Reviewed Jun 10, 2022
Last updated Jan 12, 2023

Severity

High

EPSS score

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-x9jp-4w8m-4f3c

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.