PT-2015-5710 · Django Software Foundation+1 · Django+1
Daniel Chatfield
·
Published
2015-03-19
·
Updated
2022-05-14
·
CVE-2015-2317
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Django versions prior to 1.4.20
Django versions 1.5.x
Django versions 1.6.x prior to 1.6.11
Django versions 1.7.x prior to 1.7.7
Django versions 1.8.x prior to 1.8c1
Description
The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL. This is demonstrated by a URL containing a control character, such as
x08javascript:. The utils.http.is safe url function does not properly validate URLs, leading to this security issue.Recommendations
For Django versions prior to 1.4.20, update to version 1.4.20 or later.
For Django versions 1.5.x, update to a version with the fix, as 1.5.x is affected but no specific end version is provided.
For Django versions 1.6.x prior to 1.6.11, update to version 1.6.11 or later.
For Django versions 1.7.x prior to 1.7.7, update to version 1.7.7 or later.
For Django versions 1.8.x prior to 1.8c1, update to version 1.8c1 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Django
Ubuntu