Bugzilla – Bug 1031450
VUL-1: CVE-2017-7233: python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
Last modified: 2019-07-10 06:38:58 UTC
EMBARGOED via pre-notification. CRD: 2017-04-04 14:00 UTC CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs ========================================================================= Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. [...] Affected versions ================= * Django master development branch * Django 1.11 (currently at release candidate status) * Django 1.10 * Django 1.9 * Django 1.8
Public at https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
This is an autogenerated message for OBS integration: This bug (1031450) was mentioned in https://build.opensuse.org/request/show/589964 42.3 / python-Django
This is an autogenerated message for OBS integration: This bug (1031450) was mentioned in https://build.opensuse.org/request/show/590768 42.3 / python3-Django
openSUSE-SU-2018:0824-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000 CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: openSUSE Leap 42.3 (src): python3-Django-1.8.19-5.3.1
openSUSE-SU-2018:0826-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000 CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: openSUSE Leap 42.3 (src): python-Django-1.8.19-6.4.1
SUSE-SU-2018:0973-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305 CVE References: CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: SUSE OpenStack Cloud 7 (src): python-Django-1.8.19-3.4.1
SUSE-SU-2018:1102-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999 CVE References: CVE-2016-2512,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: SUSE OpenStack Cloud 6 (src): python-Django-1.8.19-3.6.1
released