CVE-2015-2241
published 2015-03-12CVE-2015-2241: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
2.05%
78.9th percentile
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.7.6-1 (bookworm) | python-django 1.7.6-1 (bookworm) |
| djangoproject | django | <= 1.7.5 | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.7.6 | 1.7.6 |
| djangoproject | django | >= 1.8a1 < 1.8b2 | 1.8b2 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Cross-site Scripting Vulnerability
ghsa·2022-05-17
CVE-2015-2241 [MEDIUM] CWE-79 Django Cross-site Scripting Vulnerability
Django Cross-site Scripting Vulnerability
Cross-site scripting (XSS) vulnerability in the contents function in `admin/helpers.py` in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in `ModelAdmin.readonly_fields`, as demonstrated by an `@property`.
OSV
Django Cross-site Scripting Vulnerability
osv·2022-05-17
CVE-2015-2241 [MEDIUM] Django Cross-site Scripting Vulnerability
Django Cross-site Scripting Vulnerability
Cross-site scripting (XSS) vulnerability in the contents function in `admin/helpers.py` in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in `ModelAdmin.readonly_fields`, as demonstrated by an `@property`.
OSV
CVE-2015-2241: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers
osv·2015-03-12·CVSS 4.3
CVE-2015-2241 [MEDIUM] CVE-2015-2241: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Red Hat
Django: XSS attack via properties in ModelAdmin.readonly_fields
vendor_redhat·2015-03-09·CVSS 4.3
CVE-2015-2241 [MEDIUM] CWE-79 Django: XSS attack via properties in ModelAdmin.readonly_fields
Django: XSS attack via properties in ModelAdmin.readonly_fields
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Statement: Not vulnerable. The 1.7 and 1.8 versions of Django are not shipped in any Red Hat product as of March 2015.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: Django14 (Red Hat OpenStack Platform 4) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Not affected
Debian
CVE-2015-2241: python-django - Cross-site scripting (XSS) vulnerability in the contents function in admin/helpe...
vendor_debian·2015·CVSS 4.3
CVE-2015-2241 [MEDIUM] CVE-2015-2241: python-django - Cross-site scripting (XSS) vulnerability in the contents function in admin/helpe...
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Scope: local
bookworm: resolved (fixed in 1.7.6-1)
bullseye: resolved (fixed in 1.7.6-1)
forky: resolved (fixed in 1.7.6-1)
sid: resolved (fixed in 1.7.6-1)
trixie: resolved (fixed in 1.7.6-1)
No detection rules found.
No public exploits indexed.
arXiv
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
arxiv_fulltext·2020-05-14
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
## Abstract
Cross-site scripting (XSS) flaws are a class of security flaws that permit the injection of malicious code into a web application.
In simple situations, these flaws can be caused by missing input sanitizations. Sometimes, however, all application inputs
are sanitized, but the sanitizations are not appropriate for the browser contexts of the sanitized values. Using an incorrect
sanitizer can make the application look protected, when it is in fact vulnerable as if no sanitization was used, creating a context-sensitive XSS flaw.
To discover context-sensitive XSS flaws, we introduce DjangoChecker.
DjangoChecker combines extended dynamic taint tracking with a model browser for context analysis.
We demonstrate the practical application of DjangoChecker on eight mature web applicati
Bugzilla
CVE-2015-2241 Django: XSS attack via properties in ModelAdmin.readonly_fields
bugzilla·2015-03-11·CVSS 4.3
CVE-2015-2241 [MEDIUM] CVE-2015-2241 Django: XSS attack via properties in ModelAdmin.readonly_fields
CVE-2015-2241 Django: XSS attack via properties in ModelAdmin.readonly_fields
The following flaw was found in Django 1.7 and 1.8:
The ModelAdmin.readonly_fields attribute in the Django admin allows displaying model fields and model attributes. While the former were correctly escaped, the latter were not. Thus untrusted content could be injected into the admin, presenting an exploitation vector for XSS attacks.
In this vulnerability, every model attribute used in readonly_fields that is not an actual model field (e.g. a @property) will fail to be escaped even if that attribute is not marked as safe. In this release, autoescaping is now correctly applied.
Upstream Issue:
https://code.djangoproject.com/ticket/24461
Upstream patches:
1.8 -- https://github.com/django/django/commit/d16e4e
http://www.mandriva.com/security/advisories?name=MDVSA-2015:109http://www.securityfocus.com/bid/73095https://code.djangoproject.com/ticket/24461https://www.djangoproject.com/weblog/2015/mar/09/security-releases/http://www.mandriva.com/security/advisories?name=MDVSA-2015:109http://www.securityfocus.com/bid/73095https://code.djangoproject.com/ticket/24461https://www.djangoproject.com/weblog/2015/mar/09/security-releases/
2015-03-12
Published