CVE-2017-7233 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Cross-site scripting |
| Description | Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) “safe” when they shouldn’t be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-233 | python-django, python2-django | 1.10.3-2 | 1.11-1 | Medium | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 06 Apr 2017 | ASA-201704-2 | AVG-233 | python-django | Medium | multiple issues |
| 06 Apr 2017 | ASA-201704-1 | AVG-233 | python2-django | Medium | multiple issues |
| References |
|---|
https://docs.djangoproject.com/en/dev/releases/1.11 |