Safety vulnerability ID: 38373
The information on this page was manually curated by our Cybersecurity Intelligence Team.
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Latest version: 5.1.4
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
===========================
*June 3, 2020*
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
CVE-2020-13254: Potential data leakage via malformed memcached keys
===================================================================
In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to the
memcached cache backends.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.
Bugfixes
========
* Fixed a regression in Django 2.2.12 that affected translation loading for
apps providing translations for territorial language variants as well as a
generic language, where the project has different plural equations for the
language (:ticket:`31570`).
* Tracking a jQuery security release, upgraded the version of jQuery used by
the admin from 3.3.1 to 3.5.1.
===========================
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application