Bugzilla – Bug 988420
VUL-1: CVE-2016-6186: python-Django: XSS in admin's add/change related popup
Last modified: 2023-03-20 20:05:52 UTC
Admin page views is not affected in 1.6.11. The django/views/debug.py part is in 1.6.11. Cloud 6 affected.
https://docs.djangoproject.com/en/1.8/ref/contrib/admin/ So for this to be exploited, the automatic admin feature needs to be used. Is that the case in our products?
bugbot adjusting priority
(In reply to Andreas Stieger from comment #6) > https://docs.djangoproject.com/en/1.8/ref/contrib/admin/ > > So for this to be exploited, the automatic admin feature needs to be used. > Is that the case in our products? It's not used in the Cloud products.
(In reply to Thomas Bechtold from comment #8) > (In reply to Andreas Stieger from comment #6) > > https://docs.djangoproject.com/en/1.8/ref/contrib/admin/ > > > > So for this to be exploited, the automatic admin feature needs to be used. > > Is that the case in our products? > > It's not used in the Cloud products. Thanks, not triggering an update.
Actually, keeping open for openSUSE
Public at https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ Django security releases issued: 1.10 release candidate 1, 1.9.8, and 1.8.14 Posted by Tim Graham on July 18, 2016 In accordance with our security release policy, the Django team is issuing Django 1.10 release candidate 1, Django 1.9.8 and 1.8.14. These release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch is also updated. Django 1.10 is now at release candidate stage. This marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, 1.10 final will be issued on or around August 1. Any delays will be communicated on the django-developers mailing list thread. CVE-2016-6186: XSS in admin's add/change related popup Unsafe usage of JavaScript's Element.innerHTML could result in XSS in the admin's add/change related popup. Element.textContent is now used to prevent execution of the data. The debug view also used innerHTML. Although a security issue wasn't identified there, out of an abundance of caution it's also updated to use textContent. Thanks Vulnerability Laboratory for reporting the issue and Paulo Alvarado for forwarding it to us.
https://build.opensuse.org/request/show/417957 move the one in d:l:p
This is an autogenerated message for OBS integration: This bug (988420) was mentioned in https://build.opensuse.org/request/show/559133 Factory / python-Django1
comment 8
openSUSE-SU-2023:0077-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1077714,1102680,1208082,937524,952198,988420 CVE References: CVE-2015-3982,CVE-2015-5145,CVE-2015-5963,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-14574,CVE-2018-6188,CVE-2018-7536,CVE-2018-7537,CVE-2023-24580 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): python-Django-1.11.15-2.1