GHSA-785H-76CM-CPMF
Vulnerability from github – Published: 2025-03-26 20:34 – Updated: 2025-03-26 20:34Summary
User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags.
Details
Attributes passed to the widget (such as label_field) containing <, >, and similar tokens are not fully escaped. This results in some raw values reaching the widget, and rendering in part or fully.
For example, a label of: "Test User <script>I can pass this to the label_field and it gets rendered</script>" is rendered in the choices's label visually as "Test User " with the trailing space, and what appears as an un-executed script tag following it (which is visible when viewing source).
The actual output rendered in the browser for this example is: <div role="option" data-value="63f205b6" class="item" data-ts-item="">Test User <script>I can pass this to the label_field and it gets rendered</script></div>
The script tags appears to be valid in Chrome dev tools, but doesn't appear execute code.
Impact
Although the risk may be mediated since the content within the rendered <script></script> tags does not seem to actually/immediately run, potential may exist for other ways of increasing the risk (e.g.: code injection). In addition, the widget does not display correctly for valid strings containing < or >. Valid use-cases for printing these characters include widget label fields displaying email addresses (e.g.: "User Jane <user.jane@example.com>"
Because of the relatively small number of users at this moment, our plan to yank affected releases on PyPI and GitHub, and because raw text is rendered but does not seem to be executable, I am marking the Severity Low.
Update to version 5.3.3. The only difference from 5.3.2 is the code and documentation changes to resolve this vulnerability, so the update process should not be problematic.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-tomselect"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-26T20:34:02Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nUser supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags.\n\n### Details\nAttributes passed to the widget (such as `label_field`) containing `\u003c`, `\u003e`, and similar tokens are not fully escaped. This results in some raw values reaching the widget, and rendering in part or fully.\n\nFor example, a label of: `\"Test User \u003cscript\u003eI can pass this to the label_field and it gets rendered\u003c/script\u003e\"` is rendered in the choices\u0027s label visually as `\"Test User \"` with the trailing space, and what appears as an un-executed script tag following it (which is visible when viewing source).\n\nThe actual output rendered in the browser for this example is: `\u003cdiv role=\"option\" data-value=\"63f205b6\" class=\"item\" data-ts-item=\"\"\u003eTest User \u003cscript\u003eI can pass this to the label_field and it gets rendered\u003c/script\u003e\u003c/div\u003e`\n\nThe script tags appears to be valid in Chrome dev tools, but doesn\u0027t appear execute code.\n\n### Impact\nAlthough the risk may be mediated since the content within the rendered `\u003cscript\u003e\u003c/script\u003e` tags does not seem to actually/immediately run, potential may exist for other ways of increasing the risk (e.g.: code injection). In addition, the widget does not display correctly for valid strings containing `\u003c` or `\u003e`. Valid use-cases for printing these characters include widget label fields displaying email addresses (e.g.: `\"User Jane \u003cuser.jane@example.com\u003e\"`\n\nBecause of the relatively small number of users at this moment, our plan to yank affected releases on PyPI and GitHub, and because raw text is rendered but does not seem to be executable, I am marking the Severity **Low**.\n\nUpdate to version **5.3.3**. The only difference from 5.3.2 is the code and documentation changes to resolve this vulnerability, so the update process should not be problematic.",
"id": "GHSA-785h-76cm-cpmf",
"modified": "2025-03-26T20:34:02Z",
"published": "2025-03-26T20:34:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OmenApps/django-tomselect/security/advisories/GHSA-785h-76cm-cpmf"
},
{
"type": "WEB",
"url": "https://github.com/OmenApps/django-tomselect/commit/0990ed36c8874f9d42fa9deff7734bf8dcd46d40"
},
{
"type": "PACKAGE",
"url": "https://github.com/OmenApps/django-tomselect"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Django TomSelect incomplete escaping of dangerous characters in widget attributes"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.