PT-2015-5710 · Django Software Foundation+1 · Django+1
Daniel Chatfield
·
Publicado
2015-03-19
·
Atualizado
2022-05-14
·
CVE-2015-2317
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Django versions prior to 1.4.20
Django versions 1.5.x
Django versions 1.6.x prior to 1.6.11
Django versions 1.7.x prior to 1.7.7
Django versions 1.8.x prior to 1.8c1
Description
The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL. This is demonstrated by a URL containing a control character, such as
x08javascript:. The utils.http.is safe url function does not properly validate URLs, leading to this security issue.Recommendations
For Django versions prior to 1.4.20, update to version 1.4.20 or later.
For Django versions 1.5.x, update to a version with the fix, as 1.5.x is affected but no specific end version is provided.
For Django versions 1.6.x prior to 1.6.11, update to version 1.6.11 or later.
For Django versions 1.7.x prior to 1.7.7, update to version 1.7.7 or later.
For Django versions 1.8.x prior to 1.8c1, update to version 1.8c1 or later.
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Django
Ubuntu