Vulnerability Description
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Fedoraproject | Fedora | 22 |
| Opensuse | Opensuse | 13.2 |
| Djangoproject | Django | <= 1.4.19 |
| Oracle | Solaris | 11.2 |
| Canonical | Ubuntu Linux | 10.04 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
- http://ubuntu.com/usn/usn-2539-1Third Party Advisory
- http://www.debian.org/security/2015/dsa-3204Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:195Broken Link
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlThird Party Advisory
- http://www.securityfocus.com/bid/73319
- https://www.djangoproject.com/weblog/2015/mar/18/security-releases/Vendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
- http://ubuntu.com/usn/usn-2539-1Third Party Advisory
FAQ
What is CVE-2015-2317?
CVE-2015-2317 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to co...
How severe is CVE-2015-2317?
CVE-2015-2317 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2317?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Opensuse Opensuse, Djangoproject Django, Oracle Solaris.