Lucene search

[email protected]NVD:CVE-2015-2317

HistoryMar 25, 2015 - 2:59 p.m.

CVE-2015-2317

2015-03-2514:59:04

CWE-79

[email protected]

web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.5

Confidence

High

EPSS

0.003

Percentile

70.8%

JSON

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

Affected configurations

Nvd

Node

debiandebian_linuxMatch7.0

fedoraprojectfedoraMatch22

opensuseopensuseMatch13.2

Node

djangoprojectdjangoRange≤1.4.19

djangoprojectdjangoMatch1.5

djangoprojectdjangoMatch1.5alpha

djangoprojectdjangoMatch1.5beta

djangoprojectdjangoMatch1.5.1

djangoprojectdjangoMatch1.5.2

djangoprojectdjangoMatch1.5.3

djangoprojectdjangoMatch1.5.4

djangoprojectdjangoMatch1.5.5

djangoprojectdjangoMatch1.5.6

djangoprojectdjangoMatch1.5.7

djangoprojectdjangoMatch1.5.8

djangoprojectdjangoMatch1.5.9

djangoprojectdjangoMatch1.5.10

djangoprojectdjangoMatch1.5.11

djangoprojectdjangoMatch1.5.12

djangoprojectdjangoMatch1.6-

djangoprojectdjangoMatch1.6beta1

djangoprojectdjangoMatch1.6beta2

djangoprojectdjangoMatch1.6beta3

djangoprojectdjangoMatch1.6beta4

djangoprojectdjangoMatch1.6.1

djangoprojectdjangoMatch1.6.2

djangoprojectdjangoMatch1.6.3

djangoprojectdjangoMatch1.6.4

djangoprojectdjangoMatch1.6.5

djangoprojectdjangoMatch1.6.6

djangoprojectdjangoMatch1.6.7

djangoprojectdjangoMatch1.6.8

djangoprojectdjangoMatch1.6.9

djangoprojectdjangoMatch1.6.10

djangoprojectdjangoMatch1.7beta1

djangoprojectdjangoMatch1.7beta2

djangoprojectdjangoMatch1.7beta3

djangoprojectdjangoMatch1.7beta4

djangoprojectdjangoMatch1.7rc1

djangoprojectdjangoMatch1.7rc2

djangoprojectdjangoMatch1.7rc3

djangoprojectdjangoMatch1.7.1

djangoprojectdjangoMatch1.7.2

djangoprojectdjangoMatch1.7.3

djangoprojectdjangoMatch1.7.4

djangoprojectdjangoMatch1.7.5

djangoprojectdjangoMatch1.7.6

djangoprojectdjangoMatch1.8.0

Node

oraclesolarisMatch11.2

Node

canonicalubuntu_linuxMatch10.04lts

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch14.10

VendorProductVersionCPE
debiandebian_linux7.0cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
fedoraprojectfedora22cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
opensuseopensuse13.2cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
djangoprojectdjango*cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
djangoprojectdjango1.5cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
djangoprojectdjango1.5cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*
djangoprojectdjango1.5cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*
djangoprojectdjango1.5.1cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
djangoprojectdjango1.5.2cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
djangoprojectdjango1.5.3cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
debian	debian_linux	7.0	cpe:2.3:o:debian:debian_linux:7.0:::::::*
fedoraproject	fedora	22	cpe:2.3:o:fedoraproject:fedora:22:::::::*
opensuse	opensuse	13.2	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
djangoproject	django	*	cpe:2.3:a:djangoproject:django::::::::
djangoproject	django	1.5	cpe:2.3:a:djangoproject:django:1.5:::::::*
djangoproject	django	1.5	cpe:2.3:a:djangoproject:django:1.5:alpha::::::
djangoproject	django	1.5	cpe:2.3:a:djangoproject:django:1.5:beta::::::
djangoproject	django	1.5.1	cpe:2.3:a:djangoproject:django:1.5.1:::::::*
djangoproject	django	1.5.2	cpe:2.3:a:djangoproject:django:1.5.2:::::::*
djangoproject	django	1.5.3	cpe:2.3:a:djangoproject:django:1.5.3:::::::*