GHSA-37hp-765x-j95x

Suggest an improvement
Source
https://github.com/advisories/GHSA-37hp-765x-j95x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-37hp-765x-j95x/GHSA-37hp-765x-j95x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-37hp-765x-j95x
Aliases
Published
2019-01-04T17:50:26Z
Modified
2024-09-18T16:25:30.395015Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Django open redirect and possible XSS attack via user-supplied numeric redirect URLs
Details

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.10a1
Fixed
1.10.7

Affected versions

1.*

1.10a1
1.10b1
1.10rc1
1.10
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9a1
Fixed
1.9.13

Affected versions

1.*

1.9a1
1.9b1
1.9rc1
1.9rc2
1.9
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.8a1
Fixed
1.8.18

Affected versions

1.*

1.8a1
1.8b1
1.8b2
1.8c1
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17