[arch-security] [ASA-201503-7] python2-django python-django - cross site scripting
Arch Linux Security Advisory ASA-201503-7 ========================================= Severity: Medium Date : 2015-03-11 CVE-ID : CVE-2015-2241 Package : python2-django python-django Type : Cross-Site-Scripting Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The packages python2-django and python-django before version 1.7.6-1 are vulnerable to cross-site-scripting. Resolution ========== Upgrade to 1.7.6-1. # pacman -Syu "python2-django>=1.7.6.-1" # pacman -Syu "python-django>=1.7.6-1" Workaround ========== None. Description =========== XSS attack via properties in ModelAdmin.readonly_fields Impact ====== A remote attacker is able to change content or to craft a specific phishing website. References ========== https://www.djangoproject.com/weblog/2015/mar/09/security-releases/ https://security-tracker.debian.org/tracker/CVE-2015-2241 https://bugs.archlinux.org/task/44122
participants (1)
-
Christian Rebischke