GHSA-7fq8-4pv5-5w5c

Suggest an improvement
Source
https://github.com/advisories/GHSA-7fq8-4pv5-5w5c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7fq8-4pv5-5w5c/GHSA-7fq8-4pv5-5w5c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7fq8-4pv5-5w5c
Aliases
Published
2022-05-14T02:06:51Z
Modified
2024-09-18T16:08:07.646239Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Django cross-site scripting (XSS) attack via user-supplied redirect URLs
Details

The utils.http.issafeurl function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.20

Affected versions

1.*

1.0.1
1.0.2
1.0.3
1.0.4
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.16
1.4.17
1.4.18
1.4.19

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.5
Fixed
1.6.11

Affected versions

1.*

1.5
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.7
Fixed
1.7.7

Affected versions

1.*

1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.8a1
Fixed
1.8c1

Affected versions

1.*

1.8a1
1.8b1
1.8b2