From 23d7c33667508ab2aa65d1ecd3e0cc0fb7825b45 Mon Sep 17 00:00:00 2001
From: Nikita Manovich <40690625+nmanovic@users.noreply.github.com>
Date: Wed, 26 Jun 2019 12:34:34 +0300
Subject: [PATCH] Fix security issues (#519)

CVE-2019-12308 More information

moderate severity
Vulnerable versions: >= 2.1.0, < 2.1.9
Patched version: 2.1.9
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

WS-2019-0037 More information

moderate severity
Vulnerable versions: < 3.9.1
Patched version: 3.9.1
Django-Rest-Framework, before 3.9.1, has a XSS vulnerability caused by disabled autoescaping in the default DRF Browsable API view templates.
---
 cvat/requirements/base.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cvat/requirements/base.txt b/cvat/requirements/base.txt
index e7e82c29..d20e2422 100644
--- a/cvat/requirements/base.txt
+++ b/cvat/requirements/base.txt
@@ -1,5 +1,5 @@
 click==6.7
-Django==2.1.7
+Django==2.1.9
 django-appconf==1.0.2
 django-auth-ldap==1.4.0
 django-cacheops==4.0.6
@@ -29,7 +29,7 @@ GitPython==2.1.11
 coreapi==2.3.3
 django-filter==2.0.0
 Markdown==3.0.1
-djangorestframework==3.9.0
+djangorestframework==3.9.1
 Pygments==2.3.1
 drf-yasg==1.15.0
 Shapely==1.6.4.post2