CVE-2011-0697
published 2011-02-14CVE-2011-0697: Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.77%
75.4th percentile
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.2.5-1 (bookworm) | python-django 1.2.5-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.1 < 1.1.4 | 1.1.4 |
| djangoproject | django | >= 1.2 < 1.2.5 | 1.2.5 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_ubuntu6.8MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2011-02-17·CVSS 6.8
CVE-2011-0696 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Attackers could use Django to perform web-based attacks.
It was discovered that Django did not properly validate HTTP requests that
contain an X-Requested-With header. An attacker could exploit this
vulnerability to perform cross-site request forgery (CSRF) attacks.
(CVE-2011-0696)
It was discovered that Django did not properly sanitize its input when
performing file uploads, resulting in cross-site scripting (XSS)
vulnerabilities. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a
remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2011-0697)
Instructions: ATTENTION: This update introduces a small backwards-
Debian
CVE-2011-0697: python-django - Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x ...
vendor_debian·2011·CVSS 4.3
CVE-2011-0697 [MEDIUM] CVE-2011-0697: python-django - Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x ...
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
Scope: local
bookworm: resolved (fixed in 1.2.5-1)
bullseye: resolved (fixed in 1.2.5-1)
forky: resolved (fixed in 1.2.5-1)
sid: resolved (fixed in 1.2.5-1)
trixie: resolved (fixed in 1.2.5-1)
GHSA
Cross-site scripting in django
ghsa·2018-07-23
CVE-2011-0697 [MEDIUM] CWE-79 Cross-site scripting in django
Cross-site scripting in django
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
OSV
Cross-site scripting in django
osv·2018-07-23
CVE-2011-0697 [MEDIUM] Cross-site scripting in django
Cross-site scripting in django
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
OSV
CVE-2011-0697: Cross-site scripting (XSS) vulnerability in Django 1
osv·2011-02-14·CVSS 4.3
CVE-2011-0697 [MEDIUM] CVE-2011-0697: Cross-site scripting (XSS) vulnerability in Django 1
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-0696 CVE-2011-0697 Django various flaws [fedora-all]
bugzilla·2011-02-09·CVSS 6.8
CVE-2011-0696 [MEDIUM] CVE-2011-0696 CVE-2011-0697 Django various flaws [fedora-all]
CVE-2011-0696 CVE-2011-0697 Django various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=676357
Please note: this issue affects multiple supported ve
Bugzilla
CVE-2011-0697 Django Potential XSS in file field rendering
bugzilla·2011-02-09·CVSS 4.3
CVE-2011-0697 [MEDIUM] CVE-2011-0697 Django Potential XSS in file field rendering
CVE-2011-0697 Django Potential XSS in file field rendering
http://www.djangoproject.com/weblog/2011/feb/08/security/
Django's form system includes form fields and widgets for performing file
uploads; in rendering these fields, the name of the file currently stored
in the field is displayed. In the process of rendering, the filename is
displayed without being escaped, as reported by Trac user "e.generalov".
In many cases this does not result in a cross-site-scripting vulnerability,
as file-storage backends can and are encouraged to (and the default
backends provided with Django do) sanitize the supplied filename according
to their requirements. However, the risk of a vulnerability appearing in a
backend which does not sanitize, or which performs insufficient
sanitization, is such that Dj
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.htmlhttp://openwall.com/lists/oss-security/2011/02/09/6http://secunia.com/advisories/43230http://secunia.com/advisories/43297http://secunia.com/advisories/43382http://secunia.com/advisories/43426http://www.debian.org/security/2011/dsa-2163http://www.djangoproject.com/weblog/2011/feb/08/security/http://www.mandriva.com/security/advisories?name=MDVSA-2011:031http://www.securityfocus.com/bid/46296http://www.ubuntu.com/usn/USN-1066-1http://www.vupen.com/english/advisories/2011/0372http://www.vupen.com/english/advisories/2011/0388http://www.vupen.com/english/advisories/2011/0429http://www.vupen.com/english/advisories/2011/0439http://www.vupen.com/english/advisories/2011/0441https://bugzilla.redhat.com/show_bug.cgi?id=676359http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.htmlhttp://openwall.com/lists/oss-security/2011/02/09/6http://secunia.com/advisories/43230http://secunia.com/advisories/43297http://secunia.com/advisories/43382http://secunia.com/advisories/43426http://www.debian.org/security/2011/dsa-2163http://www.djangoproject.com/weblog/2011/feb/08/security/http://www.mandriva.com/security/advisories?name=MDVSA-2011:031http://www.securityfocus.com/bid/46296http://www.ubuntu.com/usn/USN-1066-1http://www.vupen.com/english/advisories/2011/0372http://www.vupen.com/english/advisories/2011/0388http://www.vupen.com/english/advisories/2011/0429http://www.vupen.com/english/advisories/2011/0439http://www.vupen.com/english/advisories/2011/0441https://bugzilla.redhat.com/show_bug.cgi?id=676359
2011-02-14
Published