PYSEC-2017-9

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2017-9.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2017-9
Aliases
Published
2017-04-04T17:59:00Z
Modified
2023-11-08T03:59:24.015077Z
Summary
[none]
Details

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.10
Fixed
1.10.7
Introduced
1.9
Fixed
1.9.13
Introduced
1.8
Fixed
1.8.18

Affected versions

1.*

1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.9
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12
1.10
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6