Bug 1355663 (CVE-2016-6186) - CVE-2016-6186 django: XSS in admin's add/change related popup
Summary: CVE-2016-6186 django: XSS in admin's add/change related popup
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-6186
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1356326 1356327 1356328 1356330 1356331 1357701 1357702 1357703 1357704 1357726 1357727
Blocks: 1355664
TreeView+ depends on / blocked
 
Reported: 2016-07-12 07:54 UTC by Andrej Nemec
Modified: 2021-02-17 03:37 UTC (History)
24 users (show)

Fixed In Version: django 1.9.8, django 1.8.14
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related pop-up. Element.textContent is now used to prevent XSS data execution.
Clone Of:
Environment:
Last Closed: 2016-12-16 00:13:39 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1594 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-08-11 03:44:08 UTC
Red Hat Product Errata RHSA-2016:1595 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-08-11 04:04:09 UTC
Red Hat Product Errata RHSA-2016:1596 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-08-11 05:23:19 UTC

Description Andrej Nemec 2016-07-12 07:54:41 UTC
XSS vulnerability was found in django. Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the admin's add/change related popup. ``Element.textContent`` is now used to prevent execution of the data.

The debug view also used ``innerHTML``. Although a security issue wasn't identified there, out of an abundance of caution it's also updated to use ``textContent``.

Comment 2 Summer Long 2016-07-12 23:39:21 UTC
Acknowledgements:

Name: the upstream Django project

Comment 8 Summer Long 2016-07-19 00:15:29 UTC
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1357702]

Comment 9 Summer Long 2016-07-19 00:15:41 UTC
Created python-django15 tracking bugs for this issue:

Affects: epel-6 [bug 1357703]

Comment 10 Summer Long 2016-07-19 00:15:52 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1357701]
Affects: epel-7 [bug 1357704]

Comment 11 Summer Long 2016-07-19 00:53:42 UTC
Created python-django-openstack-auth tracking bugs for this issue:

Affects: openstack-rdo [bug 1357727]

Comment 12 Summer Long 2016-07-19 00:53:52 UTC
Created python-django-horizon tracking bugs for this issue:

Affects: openstack-rdo [bug 1357726]

Comment 16 errata-xmlrpc 2016-08-10 23:44:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 Operational Tools for RHEL 7

Via RHSA-2016:1594 https://rhn.redhat.com/errata/RHSA-2016-1594.html

Comment 17 errata-xmlrpc 2016-08-11 00:04:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:1595 https://rhn.redhat.com/errata/RHSA-2016-1595.html

Comment 18 errata-xmlrpc 2016-08-11 01:23:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:1596 https://rhn.redhat.com/errata/RHSA-2016-1596.html


Note You need to log in before you can comment on or make changes to this bug.