CVE-2018-14574

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Django versions 1.11.x through 1.11.14 Django versions 2.0.x through 2.0.7

Description The issue is related to an Open Redirect in the django.middleware.common.CommonMiddleware module of the Django framework. This occurs due to incorrect handling of URL patterns ending with a / when both django.middleware.common.CommonMiddleware and APPEND SLASH options are active. Exploitation of this issue could allow a remote attacker to redirect a user to a malicious URI.

Recommendations For Django versions 1.11.x through 1.11.14, update to version 1.11.15 or later. For Django versions 2.0.x through 2.0.7, update to version 2.0.8 or later. As a temporary workaround, consider disabling the django.middleware.common.CommonMiddleware module until a patch is available. Restrict access to URLs that could be used for open redirects to minimize the risk of exploitation.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

BDU:2019-00436

CVE-2018-14574

DSA-4264-1

GHSA-5HG3-6C2F-F3WR

OPENSUSE-SU-2018:2327-1

OPENSUSE-SU-2018:2809-1

OPENSUSE-SU-2018_2375-1

OPENSUSE-SU-2018_2488-1

OPENSUSE-SU-2023:0077-1

PYSEC-2018-2

RHSA-2019:0265

SUSE-SU-2018:3549-1

SUSE-SU-2019:1862-1

USN-3726-1

Affected Products

Django

Suse

Ubuntu

CVE-2018-14574

Weakness Enumeration

Related Identifiers

Affected Products

References · 94