PT-2014-3648 · Django Software Foundation+1 · Django+1

Florian Apolloner

Publicado

2014-08-26

Atualizado

2022-05-14

CVE-2014-0480

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 1.4.x through 1.4.13 Django versions 1.5.x through 1.5.8 Django versions 1.6.x through 1.6.5 Django versions 1.7 before release candidate 3

Description The issue allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. This occurs due to improper validation of URLs by the core.urlresolvers.reverse function.

Recommendations For Django versions 1.4.x through 1.4.13, update to version 1.4.14 or later. For Django versions 1.5.x through 1.5.8, update to version 1.5.9 or later. For Django versions 1.6.x through 1.6.5, update to version 1.6.6 or later. For Django versions 1.7 before release candidate 3, update to release candidate 3 or later.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2014-0480

DLA-65-1

DSA-3010-1

GHSA-F7CM-CCFP-3Q4R

MGASA-2014-0366

PYSEC-2014-4

SUSE-SU-2015:0563-1

SUSE-SU-2015:0695-1

USN-2347-1

Produtos afetados

Django

Ubuntu

PT-2014-3648 · Django Software Foundation+1 · Django+1

CVE-2014-0480

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 30