Skip to content

Django cross-site scripting (XSS) attack via user-supplied redirect URLs

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated May 7, 2024

Package

pip Django (pip)

Affected versions

< 1.4.20
>= 1.5, < 1.6.11
>= 1.7, < 1.7.7
>= 1.8a1, < 1.8c1

Patched versions

1.4.20
1.6.11
1.7.7
1.8c1

Description

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

References

Published by the National Vulnerability Database Mar 25, 2015
Published to the GitHub Advisory Database May 14, 2022
Reviewed Apr 29, 2024
Last updated May 7, 2024

Severity

Moderate

Weaknesses

CVE ID

CVE-2015-2317

GHSA ID

GHSA-7fq8-4pv5-5w5c

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.