* Run tests for REST API
* Added DJANGO_CONFIGURATION with value "testing"
* Fixed crash of python tests
* Update .travis.yml
* Update CHANGELOG.md
* Removed --settings option
* Split implementation
* Group implementation
* Reset cache for created object after saving
* A litle fix
* API methods definitions
* Typos
* API methods annotations.Statistics() and annotationsclear()
* Object selection
* Little fix
* Comments and docs a little changed
* Increase/decrease ZOrder
* ZOrder up/down
* Some crutial bugs fixed
* hasUnsavedChanges and merge
* Added API description
* Fixed bugs
* Merge was tested
* New file
* Fixed unit tests
* Fixed small bug which reproduced only after build
* Case sensitive renaming
* Update `cvat-js` lib.
* Add `.env` file
* Add basic redux capabilities
* Remove `setTimeout` as it was fixes in `cvat-js`
* Remove redundant state field
* Fixed authorization in case of invalid login/password
* The first version of frames
* Frames work in browser
* Init version of getting annotations
* Getting annotations from the server
* Couple of fixes
* Removed extra line
CVE-2019-12308 More information
moderate severity
Vulnerable versions: >= 2.1.0, < 2.1.9
Patched version: 2.1.9
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
WS-2019-0037 More information
moderate severity
Vulnerable versions: < 3.9.1
Patched version: 3.9.1
Django-Rest-Framework, before 3.9.1, has a XSS vulnerability caused by disabled autoescaping in the default DRF Browsable API view templates.
EvgenyShashkin
Boris Sekachev
Ben Hoff
Nikita Manovich
Artyom Zankevich
Dustin Dorroh
Andrey Zhavoronkov
Ben Hoff
zliang7
Boris Sekachev
Rafael Kazuo Sato Simião
Eduardo
Satoshi Oikawa