wangchunlin
/
cvat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix security issues (#519)

Browse Source 
CVE-2019-12308 More information

moderate severity
Vulnerable versions: >= 2.1.0, < 2.1.9
Patched version: 2.1.9
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

WS-2019-0037 More information

moderate severity
Vulnerable versions: < 3.9.1
Patched version: 3.9.1
Django-Rest-Framework, before 3.9.1, has a XSS vulnerability caused by disabled autoescaping in the default DRF Browsable API view templates.
main
Nikita Manovich 7 years ago committed by GitHub
parent f20698921e
commit 23d7c33667
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File

4
cvat/requirements/base.txt
Unescape Escape View File

@ -1,5 +1,5 @@
click==6.7
Django==2.1.7
Django==2.1.9
django-appconf==1.0.2
django-auth-ldap==1.4.0
django-cacheops==4.0.6
@ -29,7 +29,7 @@ GitPython==2.1.11
coreapi==2.3.3
django-filter==2.0.0
Markdown==3.0.1
djangorestframework==3.9.0
djangorestframework==3.9.1
Pygments==2.3.1
drf-yasg==1.15.0
Shapely==1.6.4.post2

Write Preview
Loading…
Cancel
Save