Published: 04/04/2017 Updated: 17/10/2018

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 517

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Django 1.10 prior to 1.10.7, 1.9 prior to 1.9.13, and 1.8 prior to 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject django 1.8.2
djangoproject django 1.8.3
djangoproject django 1.8.10
djangoproject django 1.8.11
djangoproject django 1.8.0
djangoproject django 1.9.4
djangoproject django 1.9.5
djangoproject django 1.10.1
djangoproject django 1.10.2
djangoproject django 1.10.0
djangoproject django 1.9
djangoproject django 1.9.1
djangoproject django 1.8.4
djangoproject django 1.8.5
djangoproject django 1.8.12
djangoproject django 1.8.13
djangoproject django 1.9.6
djangoproject django 1.9.7
djangoproject django 1.10.3
djangoproject django 1.10.4
djangoproject django 1.9.2
djangoproject django 1.9.8
djangoproject django 1.8.1
djangoproject django 1.8.8
djangoproject django 1.8.9
djangoproject django 1.8.16
djangoproject django 1.8.17
djangoproject django 1.9.12
djangoproject django 1.9.3
djangoproject django 1.8.6
djangoproject django 1.8.7
djangoproject django 1.8.14
djangoproject django 1.8.15
djangoproject django 1.9.10
djangoproject django 1.9.11
djangoproject django 1.10.5
djangoproject django 1.10.6
djangoproject django 1.9.9

Several security issues were fixed in Django ...

Several vulnerabilities were discovered in Django, a high-level Python web development framework The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9013 Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database CVE-2016-9014 Aymeric Au ...

Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 70 (Kilo) for RHEL 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common ...

Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat OpenStack Platform 90 (Mitaka)Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sys ...

Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 60 (Juno) for RHEL 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common ...

Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat OpenStack Platform 110 (Ocata)Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sys ...

Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat OpenStack Platform 100 (Newton)Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sy ...

Synopsis Important: Satellite 64 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Satellite 64 for RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...

Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat OpenStack Platform 80 (Liberty)Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sy ...

Debian Bug report logs - #859516 python-django: CVE-2017-7234: Open redirect vulnerability in djangoviewsstaticserve() Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: ...

Debian Bug report logs - #842856 python-django: CVE-2016-9013 CVE-2016-9014 Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 1 Nov 2016 19:39:02 UTC Severity: impo ...

Debian Bug report logs - #859515 python-django: CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@deb ...

A redirect flaw, where the is_safe_url() function did not correctly sanitize numeric-URL user input, was found in python-django A remote attacker could exploit this flaw to perform XSS attacks against the OpenStack dashboard ...

Django relies on user input in some cases (eg djangocontribauthviewslogin() and i18n) to redirect the user to an “on success” URL The security check for these redirects (namely djangoutilshttpis_safe_url()) considered some numeric URLs (eg http:999999999) “safe” when they shouldn’t be Also, if a developer relies on is_safe_ur ...

复现Django漏洞时的部分环境,推荐使用virtualenv还原部分漏洞

django-cve-hub 以前自己复现历史Django CVE漏洞的部分环境和存在漏洞的实现代码,因为看到有人需要先上传上来。有几个还不是特别完善，等有时间再慢慢补充。当前较为完善的有： CVE-2017-7233 CVE-2017-7234

Project 9: Improve a Django Project WARNING: Security Vulnerability There are multiple vulnerabilities with versions of Django below 11119 (see CVE-2019-6975, CVE-2019-3498, CVE-2017-7234, and CVE-2017-7233) These vulnerabilities have not been addressed as part of the project specification is to use the packages according to the supplied requirementstxt1 Installation Clon

The knife of the Admin & Security auditor

DEPRECATED patton-cli has been moved into a module of the new patton repository for better maintenance THIS REPOSITORY WILL BE DELETED AS OF JULY 1 Patton-cli - The knife of the Admin & Security auditor Current version 001 Project site githubcom/bbva/patton-cli Issues githubcom/bbva/patton-cli/issues/ Python versions 36 or above What

CWE-601 https://www.djangoproject.com/weblog/2017/apr/04/security-releases/http://www.securityfocus.com/bid/97406 http://www.securitytracker.com/id/1038177 http://www.debian.org/security/2017/dsa-3835 https://access.redhat.com/errata/RHSA-2017:3093 https://access.redhat.com/errata/RHSA-2017:1596 https://access.redhat.com/errata/RHSA-2017:1470 https://access.redhat.com/errata/RHSA-2017:1462 https://access.redhat.com/errata/RHSA-2017:1451 https://access.redhat.com/errata/RHSA-2017:1445 https://access.redhat.com/errata/RHSA-2018:2927 https://usn.ubuntu.com/3254-1/https://nvd.nist.gov

Get Started

CVE-2017-7233

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect