6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
72.3%
Severity: Medium
Date : 2017-04-06
CVE-ID : CVE-2017-7233 CVE-2017-7234
Package : python2-django
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-233
The package python2-django before version 1.11-1 is vulnerable to
multiple issues including cross-site scripting and open redirect.
Upgrade to 1.11-1.
The problems have been fixed upstream in version 1.11.
None.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
“on success” URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) “safe” when they shouldn’t be.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack.
A maliciously crafted URL to a Django site using the serve() view could
redirect to any other domain. The view no longer does any redirects as
they don’t provide any known, useful functionality.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a
development aid.
A remote attacker is able to use a specially crafted numeric-URL to
execute arbitrary javascript on the client’s machine and craft a
malious URL to a Django site which could redirect to any other domain.
https://docs.djangoproject.com/en/dev/releases/1.11
https://security.archlinux.org/CVE-2017-7233
https://security.archlinux.org/CVE-2017-7234
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | python2-django | < 1.11-1 | UNKNOWN |
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
72.3%