[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2015-2317Date: (C)2015-03-30   (M)2023-12-22


The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a x08javascript: URL.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
BID-73319
DSA-3204
FEDORA-2015-5766
FEDORA-2015-9604
MDVSA-2015:195
USN-2539-1
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
openSUSE-SU-2015:0643
openSUSE-SU-2015:1598

CPE    52
cpe:/a:djangoproject:django:1.6.3
cpe:/a:djangoproject:django:1.6.2
cpe:/a:djangoproject:django:1.8.0
cpe:/a:djangoproject:django:1.6.5
...
CWE    1
CWE-79
OVAL    5
oval:org.secpod.oval:def:52433
oval:org.secpod.oval:def:602011
oval:org.secpod.oval:def:25792
oval:org.secpod.oval:def:702471
...

© SecPod Technologies