Mark Striemer

**Name of the Vulnerable Software and Affected Versions** Django versions 1.8.0 through 1.8.9 Django versions 1.9.0 through 1.9.2 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication. This is demonstrated by a URL such as `http://mysite.example.com@attacker.com`, which could be used to trick users into revealing sensitive information. **Recommendations** For Django versions 1.8.0 through 1.8.9, update to version 1.8.10 or later. For Django versions 1.9.0 through 1.9.2, update to version 1.9.3 or later.