{"id":"CVE-2015-2241","details":"Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.","aliases":["GHSA-6565-fg86-6jcx","PYSEC-2015-8"],"modified":"2026-04-16T01:48:36.820482036Z","published":"2015-03-12T14:59:05Z","withdrawn":"2026-01-27T04:13:53.399314Z","references":[{"type":"ADVISORY","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"},{"type":"EVIDENCE","url":"https://code.djangoproject.com/ticket/24461"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2015/mar/09/security-releases/"},{"type":"WEB","url":"http://www.securityfocus.com/bid/73095"}],"schema_version":"1.7.3"}