CVE-2015-0220

2015-01-1616:59:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2015-0220

django

xss

cross-site scripting

security vulnerability

nvd

5.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.007 Low

EPSS

Percentile

80.7%

JSON

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a “\njavascript:” URL.

CPENameOperatorVersion
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq14.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq14.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq10.04
djangoproject:djangodjangoproject djangole1.4.17
djangoproject:djangodjangoproject djangoeq1.6.7
djangoproject:djangodjangoproject djangoeq1.6.5
djangoproject:djangodjangoproject djangoeq1.6.8
djangoproject:djangodjangoproject djangoeq1.6.6
djangoproject:djangodjangoproject djangoeq1.7.2

CPE	Name	Operator	Version
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	14.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	14.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	10.04
djangoproject:django	djangoproject django	le	1.4.17
djangoproject:django	djangoproject django	eq	1.6.7
djangoproject:django	djangoproject django	eq	1.6.5
djangoproject:django	djangoproject django	eq	1.6.8
djangoproject:django	djangoproject django	eq	1.6.6
djangoproject:django	djangoproject django	eq	1.7.2