PT-2016-5174 · Django Software Foundation+2 · Django+2

Mark Striemer

Published

2016-03-01

Updated

2024-06-15

CVE-2016-2512

CVSS v3.1

7.4

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Django versions 1.8.0 through 1.8.9 Django versions 1.9.0 through 1.9.2

Description The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication. This is demonstrated by a URL such as http://mysite.example.com@attacker.com, which could be used to trick users into revealing sensitive information.

Recommendations For Django versions 1.8.0 through 1.8.9, update to version 1.8.10 or later. For Django versions 1.9.0 through 1.9.2, update to version 1.9.3 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2016-2173

CVE-2016-2512

DSA-3544-1

GHSA-PW27-W7W4-9QC7

MGASA-2016-0096

OPENSUSE-SU-2024:10361-1

PYSEC-2016-15

RHSA-2016:0502

RHSA-2016:0503

RHSA-2016:0504

RHSA-2016:0505

RHSA-2016:0506

SUSE-SU-2018:1102-1

SUSE-SU-2018:1828-1

SUSE-SU-2018:1830-1

USN-2915-1

USN-2915-2

USN-2915-3

Affected Products

Alt Linux

Django

Ubuntu

PT-2016-5174 · Django Software Foundation+2 · Django+2

CVE-2016-2512

Weakness Enumeration

Related Identifiers

Affected Products

References · 67