An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
www.openwall.com/lists/oss-security/2019/06/03/2
docs.djangoproject.com/en/dev/releases/1.11.21
docs.djangoproject.com/en/dev/releases/2.1.9
docs.djangoproject.com/en/dev/releases/2.2.2
docs.djangoproject.com/en/dev/releases/security
github.com/django/django
github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62
github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8
nvd.nist.gov/vuln/detail/CVE-2019-12308
www.djangoproject.com/weblog/2019/jun/03/security-releases