{"id":"BIT-django-2020-13596","details":"An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.","aliases":["CVE-2020-13596","GHSA-2m34-jcjv-45xf","PYSEC-2020-32"],"modified":"2025-04-03T14:40:37.652Z","published":"2024-03-06T10:56:25.690Z","database_specific":{"cpes":["cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"],"severity":"Medium"},"references":[{"type":"WEB","url":"https://docs.djangoproject.com/en/3.0/releases/security/"},{"type":"WEB","url":"https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20200611-0002/"},{"type":"WEB","url":"https://usn.ubuntu.com/4381-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4381-2/"},{"type":"WEB","url":"https://www.debian.org/security/2020/dsa-4705"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13596"}],"affected":[{"package":{"name":"django","ecosystem":"Bitnami","purl":"pkg:bitnami/django"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.2.0"},{"fixed":"2.2.13"},{"introduced":"3.0.0"},{"fixed":"3.0.7"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2020-13596.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}],"schema_version":"1.7.3"}