CVE-2015-2317

2015-03-2514:59:00

CWE-79

[email protected]

web.nvd.nist.gov

django

cve

xss

security vulnerability

nvd

remote attackers

1.4.20

1.5.x

1.6.x

1.7.x

1.8.x

5.4 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.5%

JSON

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

CPENameOperatorVersion
fedoraproject:fedorafedoraproject fedoraeq22
debian:debian_linuxdebian debian linuxeq7.0
opensuse:opensuseopensuseeq13.2
djangoproject:djangodjangoproject djangoeq1.7.5
djangoproject:djangodjangoproject djangoeq1.5
djangoproject:djangodjangoproject djangoeq1.5.7
djangoproject:djangodjangoproject djangoeq1.5.1
djangoproject:djangodjangoproject djangoeq1.7.3
djangoproject:djangodjangoproject djangoeq1.6
djangoproject:djangodjangoproject djangole1.4.19

CPE	Name	Operator	Version
fedoraproject:fedora	fedoraproject fedora	eq	22
debian:debian_linux	debian debian linux	eq	7.0
opensuse:opensuse	opensuse	eq	13.2
djangoproject:django	djangoproject django	eq	1.7.5
djangoproject:django	djangoproject django	eq	1.5
djangoproject:django	djangoproject django	eq	1.5.7
djangoproject:django	djangoproject django	eq	1.5.1
djangoproject:django	djangoproject django	eq	1.7.3
djangoproject:django	djangoproject django	eq	1.6
djangoproject:django	djangoproject django	le	1.4.19