CVE-2015-2317
published 2015-03-25CVE-2015-2317: The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate…
PriorityP422medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
5.03%
91.2th percentile
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1.7.7-1 (bookworm) | python-django 1.7.7-1 (bookworm) |
| djangoproject | django | <= 1.4.19 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_ubuntu5.0MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2015-03-23·CVSS 5.0
CVE-2015-2316 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Andrey Babak discovered that Django incorrectly handled strip_tags. A
remote attacker could possibly use this issue to cause Django to enter an
infinite loop, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2316)
Daniel Chatfield discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-2317)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Django: possible XSS attack via user-supplied redirect URLs
vendor_redhat·2015-03-18·CVSS 4.3
CVE-2015-2317 [MEDIUM] CWE-79 Django: possible XSS attack via user-supplied redirect URLs
Django: possible XSS attack via user-supplied redirect URLs
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Fix deferred
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Fix deferred
Package: Django14 (Red Hat OpenStack Platform 4) - Will not fix
Package: Django (Red Hat Subscription Asset Manager) - Will not fix
Debian
CVE-2015-2317: python-django - The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before...
vendor_debian·2015·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317: python-django - The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before...
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
Scope: local
bookworm: resolved (fixed in 1.7.7-1)
bullseye: resolved (fixed in 1.7.7-1)
forky: resolved (fixed in 1.7.7-1)
sid: resolved (fixed in 1.7.7-1)
trixie: resolved (fixed in 1.7.7-1)
GHSA
Django cross-site scripting (XSS) attack via user-supplied redirect URLs
ghsa·2022-05-14
CVE-2015-2317 [MEDIUM] CWE-79 Django cross-site scripting (XSS) attack via user-supplied redirect URLs
Django cross-site scripting (XSS) attack via user-supplied redirect URLs
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
OSV
Django cross-site scripting (XSS) attack via user-supplied redirect URLs
osv·2022-05-14
CVE-2015-2317 [MEDIUM] Django cross-site scripting (XSS) attack via user-supplied redirect URLs
Django cross-site scripting (XSS) attack via user-supplied redirect URLs
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
OSV
CVE-2015-2317: The utils
osv·2015-03-25·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317: The utils
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
OSV
python-django vulnerabilities
osv·2015-03-23·CVSS 5.0
CVE-2015-2316 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Andrey Babak discovered that Django incorrectly handled strip_tags. A
remote attacker could possibly use this issue to cause Django to enter an
infinite loop, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2316)
Daniel Chatfield discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-2317)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-2317 python-django14: Django: possible XSS attack via user-supplied redirect URLs [fedora-20]
bugzilla·2015-03-19·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317 python-django14: Django: possible XSS attack via user-supplied redirect URLs [fedora-20]
CVE-2015-2317 python-django14: Django: possible XSS attack via user-supplied redirect URLs [fedora-20]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
fedora-20 tracking bug for pyth
Bugzilla
CVE-2015-2317 python-django: Django: possible XSS attack via user-supplied redirect URLs [epel-7]
bugzilla·2015-03-19·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317 python-django: Django: possible XSS attack via user-supplied redirect URLs [epel-7]
CVE-2015-2317 python-django: Django: possible XSS attack via user-supplied redirect URLs [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for python-
Bugzilla
CVE-2015-2317 python-django: Django: possible XSS attack via user-supplied redirect URLs [fedora-all]
bugzilla·2015-03-19·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317 python-django: Django: possible XSS attack via user-supplied redirect URLs [fedora-all]
CVE-2015-2317 python-django: Django: possible XSS attack via user-supplied redirect URLs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
Bugzilla
CVE-2015-2317 Django14: Django: possible XSS attack via user-supplied redirect URLs [epel-6]
bugzilla·2015-03-19·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317 Django14: Django: possible XSS attack via user-supplied redirect URLs [epel-6]
CVE-2015-2317 Django14: Django: possible XSS attack via user-supplied redirect URLs [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for Django14: se
Bugzilla
Django 1.4.20/1.6.11/1.7.7 security update (MDN)
bugzilla·2015-03-19
[MEDIUM] Django 1.4.20/1.6.11/1.7.7 security update (MDN)
Django 1.4.20/1.6.11/1.7.7 security update (MDN)
On Wednesday, March 18th, 2015, the Django project issued a set of releases to remedy security issues reported. This bug contains descriptions of the issues.
Please read the entirety of this bug. Then either:
1. apply the update and mark this bug as FIXED, or
2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project
From the blog entry at https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
"""
In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1. These releases are now available on PyPI and our download page. These releases address several security issues de
Bugzilla
CVE-2015-2317 Django: possible XSS attack via user-supplied redirect URLs
bugzilla·2015-03-17·CVSS 4.3
CVE-2015-2317 [MEDIUM] CVE-2015-2317 Django: possible XSS attack via user-supplied redirect URLs
CVE-2015-2317 Django: possible XSS attack via user-supplied redirect URLs
The following flaw was found in Django:
Django relies on user input in some cases (e.g. django.contrib.auth.views.login and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. Browsers we tested also treat URLs prefixed with control characters such as %08//example.com as relative paths so redirection to an unsafe target isn't a problem either.
However, if a developer relies on is_safe_url()
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlhttp://ubuntu.com/usn/usn-2539-1http://www.debian.org/security/2015/dsa-3204http://www.mandriva.com/security/advisories?name=MDVSA-2015:195http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73319https://www.djangoproject.com/weblog/2015/mar/18/security-releases/http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlhttp://ubuntu.com/usn/usn-2539-1http://www.debian.org/security/2015/dsa-3204http://www.mandriva.com/security/advisories?name=MDVSA-2015:195http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73319https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
2015-03-25
Published