CVE-2019-12308 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-12308 Interim 1 30 2026-03-05T06:16:19Z current 2021-05-30T14:28:36Z 2026-03-05T06:16:19Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-12308 An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2019-August/005769.html E-Mail link for SUSE-SU-2019:2034-1 https://www.suse.com/support/update/announcement/2019/suse-su-20192257-1.html E-Mail link for SUSE-SU-2019:2257-1 https://lists.suse.com/pipermail/sle-security-updates/2019-September/005894.html E-Mail link for SUSE-SU-2019:2335-1 https://lists.suse.com/pipermail/sle-security-updates/2024-August/019139.html E-Mail link for SUSE-SU-2024:2817-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3LGJSPCN3VEG2UJPYCUB6TU75JTIV2TQ/#3LGJSPCN3VEG2UJPYCUB6TU75JTIV2TQ E-Mail link for openSUSE-SU-2019:1839-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5XTP44JEOSNXRVW4JDZXA5XGMBDZLWSW/#5XTP44JEOSNXRVW4JDZXA5XGMBDZLWSW E-Mail link for openSUSE-SU-2019:1872-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE Enterprise Storage 4 SUSE Enterprise Storage 5 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 SUSE Package Hub 15 SP1 openSUSE Leap 15.1 openSUSE Leap 15.5 openSUSE Tumbleweed python-Django python-Django-1.11.23-3.12.1 python-Django1-1.11.23-3.9.1 python3-Django-2.0.7-150000.1.27.1 python3-Django-2.2.4-bp151.3.3.1 python3-Django-2.2.4-lp151.2.3.1 python310-Django-4.2.11-2.1 python310-Django4-4.2.14-1.1 python311-Django-4.2.11-2.1 python311-Django4-4.2.14-1.1 python312-Django-4.2.11-2.1 python312-Django4-4.2.14-1.1 python312-Django6-6.0-1.1 python313-Django6-6.0-1.1 python36-Django-3.2.7-2.3 python38-Django-3.2.7-2.3 python39-Django-3.2.7-2.3 python-Django-1.11.23-3.12.1 as a component of HPE Helion OpenStack 8 python-Django-1.11.23-3.12.1 as a component of SUSE OpenStack Cloud 8 python-Django1-1.11.23-3.9.1 as a component of SUSE OpenStack Cloud 9 python-Django-1.11.23-3.12.1 as a component of SUSE OpenStack Cloud Crowbar 8 python-Django1-1.11.23-3.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 python3-Django-2.2.4-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 python3-Django-2.2.4-lp151.2.3.1 as a component of openSUSE Leap 15.1 python3-Django-2.0.7-150000.1.27.1 as a component of openSUSE Leap 15.5 python310-Django-4.2.11-2.1 as a component of openSUSE Tumbleweed python310-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python311-Django-4.2.11-2.1 as a component of openSUSE Tumbleweed python311-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python312-Django-4.2.11-2.1 as a component of openSUSE Tumbleweed python312-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python312-Django6-6.0-1.1 as a component of openSUSE Tumbleweed python313-Django6-6.0-1.1 as a component of openSUSE Tumbleweed python36-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python38-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python39-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python-Django as a component of SUSE Enterprise Storage 4 python-Django as a component of SUSE Enterprise Storage 5 python-Django as a component of SUSE OpenStack Cloud 7 An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. CVE-2019-12308 HPE Helion OpenStack 8:python-Django-1.11.23-3.12.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP7:python3-Django-2.0.7-150000.1.27.1 SUSE OpenStack Cloud 8:python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud 9:python-Django1-1.11.23-3.9.1 SUSE OpenStack Cloud Crowbar 8:python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud Crowbar 9:python-Django1-1.11.23-3.9.1 SUSE Package Hub 15 SP1:python3-Django-2.2.4-bp151.3.3.1 openSUSE Leap 15.1:python3-Django-2.2.4-lp151.2.3.1 openSUSE Leap 15.5:python3-Django-2.0.7-150000.1.27.1 openSUSE Tumbleweed:python310-Django-4.2.11-2.1 openSUSE Tumbleweed:python310-Django4-4.2.14-1.1 openSUSE Tumbleweed:python311-Django-4.2.11-2.1 openSUSE Tumbleweed:python311-Django4-4.2.14-1.1 openSUSE Tumbleweed:python312-Django-4.2.11-2.1 openSUSE Tumbleweed:python312-Django4-4.2.14-1.1 openSUSE Tumbleweed:python312-Django6-6.0-1.1 openSUSE Tumbleweed:python313-Django6-6.0-1.1 openSUSE Tumbleweed:python36-Django-3.2.7-2.3 openSUSE Tumbleweed:python38-Django-3.2.7-2.3 openSUSE Tumbleweed:python39-Django-3.2.7-2.3 SUSE Enterprise Storage 4:python-Django SUSE Enterprise Storage 5:python-Django SUSE OpenStack Cloud 7:python-Django moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N