5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.2%
Updated python-django and python-django14 packages fix security vulnerabilities: The ModelAdmin.readonly_fields attribute in the Django admin allows displaying model fields and model attributes. While the former were correctly escaped, the latter were not. Thus untrusted content could be injected into the admin, presenting an exploitation vector for XSS attacks (CVE-2015-2241). Django relies on user input in some cases to redirect the user to an “on success” URL. The security checks for these redirects accepted URLs with leading control characters and so considered URLs like \x08javascript:… safe. This issue doesn’t affect Django currently, however, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href (CVE-2015-2317). Note that the CVE-2015-2241 issue does not affect python-django14 directly, but client code using it may be affected. Please see the March 9th upstream advisory for more information on this.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | python-django | < 1.5.9-1.2 | python-django-1.5.9-1.2.mga4 |
Mageia | 4 | noarch | python-django14 | < 1.4.20-1 | python-django14-1.4.20-1.mga4 |