CVE-2012-3442 — Cross-site Scripting in Django

CWE-79 — Cross-site Scripting10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 34.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJul 31

Latest updateMay 17

Description

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.4 — 1.4.1+1

▶NVDdjangoproject/django1.3+18

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django Allows Redirect via Data URL↗2022-05-17

▶

GHSA

Django Allows Redirect via Data URL↗2022-05-17

▶

CVEList

CVE-2012-3442: The (1) django↗2012-07-31

▶

OSV

CVE-2012-3442: The (1) django↗2012-07-31

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2012-09-10

▶

Debian

CVE-2012-3442: python-django - The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermane...↗2012

▶

💬Community

Bugzilla

CVE-2012-3442 Django: 1.3.1 and 1.4.0 Cross-site scripting in authentication views [fedora-all]↗2012-07-31

▶

Bugzilla

CVE-2012-3442 Django: 1.3.1 and 1.4.0 Cross-site scripting in authentication views↗2012-07-31

▶

Bugzilla

CVE-2012-3442 Django: 1.3.1 and 1.4.0 Cross-site scripting in authentication views [epel-all]↗2012-07-31

▶