Published: 25/03/2015 Updated: 30/10/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

The utils.http.is_safe_url function in Django prior to 1.4.20, 1.5.x, 1.6.x prior to 1.6.11, 1.7.x prior to 1.7.7, and 1.8.x prior to 1.8c1 does not properly validate URLs, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

Vulnerable Product	Search on Vulmon	Subscribe to Product
opensuse opensuse 13.2
fedoraproject fedora 22
debian debian linux 7.0
djangoproject django 1.5.1
djangoproject django 1.5.2
djangoproject django 1.5.10
djangoproject django 1.5.11
djangoproject django 1.6.1
djangoproject django 1.6.10
djangoproject django 1.6.8
djangoproject django 1.6.9
djangoproject django 1.7.1
djangoproject django 1.7.2
djangoproject django 1.5
djangoproject django 1.5.7
djangoproject django 1.5.8
djangoproject django 1.5.9
djangoproject django 1.6
djangoproject django 1.6.6
djangoproject django 1.6.7
djangoproject django 1.7
djangoproject django 1.8.0
djangoproject django
djangoproject django 1.5.5
djangoproject django 1.5.6
djangoproject django 1.6.4
djangoproject django 1.6.5
djangoproject django 1.7.5
djangoproject django 1.7.6
djangoproject django 1.5.3
djangoproject django 1.5.4
djangoproject django 1.5.12
djangoproject django 1.6.2
djangoproject django 1.6.3
djangoproject django 1.7.3
djangoproject django 1.7.4
oracle solaris 11.2
canonical ubuntu linux 14.04
canonical ubuntu linux 14.10
canonical ubuntu linux 10.04
canonical ubuntu linux 12.04

Several security issues were fixed in Django ...

Debian Bug report logs - #780874 python-django: CVE-2015-2316: Denial-of-service possibility with strip_tags() Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 20 Ma ...

Debian Bug report logs - #780873 python-django: CVE-2015-2317 Mitigated possible XSS attack via user-supplied redirect URLs Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Dat ...

Daniel Chatfield discovered that python-django, a high-level Python web development framework, incorrectly handled user-supplied redirect URLs A remote attacker could use this flaw to perform a cross-site scripting attack For the stable distribution (wheezy), this problem has been fixed in version 145-1+deb7u11 For the unstable distribution (s ...

The utilshttpis_safe_url function in Django before 1420, 15x, 16x before 1611, 17x before 177, and 18x before 18c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL ...

CWE-79 http://ubuntu.com/usn/usn-2539-1 https://www.djangoproject.com/weblog/2015/mar/18/security-releases/http://www.debian.org/security/2015/dsa-3204 http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:195 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html http://www.securityfocus.com/bid/73319 http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html https://usn.ubuntu.com/2539-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-2317

CVE-2015-2317

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect