CVE-2016-2512

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type

GIT

Repo

https://github.com/django/django

Events

Introduced

Last affected

c982190acf7bcfba5e78a7505a45774916865569

Introduced

Last affected

3df8ccf6fc3fa0ab2acf9a03da43fea87f8ff392

Introduced

Last affected

e70a309c428cfd4e600dc9fa0c7269b1e7a8efcd

Introduced

Last affected

c00335997744196738368f46c30ef2eeaa0ac849

Fixed

c5544d289233f501917e25970c03ed444abbd4f0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.8.9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.2"
        }
    ]
}

Affected versions

1.*

1.0

1.1

1.2

1.2.1

1.3

1.4

1.7a2

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.8a1

1.8b1

1.8b2

1.8c1

1.9

1.9.1

1.9.10

1.9.11

1.9.12

1.9.13

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9a1

1.9b1

1.9rc1

1.9rc2

stable/1.*

stable/1.9.x

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2512.json"