PT-2012-4715 · Django · Django

Kurt Seifried

Published

2012-07-31

Updated

2022-05-17

CVE-2012-3442

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions prior to 1.3.2 Django versions 1.4.x prior to 1.4.1

Description The django.http.HttpResponseRedirect and django.http.HttpResponsePermanentRedirect classes in Django do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

Recommendations For Django versions prior to 1.3.2, update to version 1.3.2 or later. For Django versions 1.4.x prior to 1.4.1, update to version 1.4.1 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2012-3442

DSA-2529-1

GHSA-78VX-GGCH-WGHM

PYSEC-2012-2

Affected Products

Django

PT-2012-4715 · Django · Django

CVE-2012-3442

Weakness Enumeration

Related Identifiers

Affected Products

References · 16