CVE-2017-7233

Name of the Vulnerable Software and Affected Versions Django versions 1.10 before 1.10.7 Django versions 1.9 before 1.9.13 Django versions 1.8 before 1.8.18

Description The issue relies on user input to redirect the user to an "on success" URL. The security check for these redirects, namely django.utils.http.is safe url(), considers some numeric URLs "safe" when they shouldn't be, leading to an open redirect vulnerability. Additionally, if a developer relies on is safe url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Recommendations For Django versions 1.10 before 1.10.7, update to version 1.10.7 or later. For Django versions 1.9 before 1.9.13, update to version 1.9.13 or later. For Django versions 1.8 before 1.8.18, update to version 1.8.18 or later. As a temporary workaround, consider disabling the use of django.utils.http.is safe url() until a patch is available. Restrict access to links that use is safe url() to minimize the risk of exploitation.