Vulnerability-Lookup

CVE-2015-0220 (GCVE-0-2015-0220)

Vulnerability from cvelistv5 – Published: 2015-01-16 16:00 – Updated: 2024-08-06 04:03

Summary

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

Tags

	http://secunia.com/advisories/62718	third-party-advisoryx_refsource_SECUNIA
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://ubuntu.com/usn/usn-2469-1	vendor-advisoryx_refsource_UBUNTU
	http://www.mandriva.com/security/advisories?name=…	vendor-advisoryx_refsource_MANDRIVA
	http://secunia.com/advisories/62285	third-party-advisoryx_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2015-0…	vendor-advisoryx_refsource_SUSE
	https://www.djangoproject.com/weblog/2015/jan/13/…	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-0…	vendor-advisoryx_refsource_SUSE
	http://secunia.com/advisories/62309	third-party-advisoryx_refsource_SECUNIA
	http://www.mandriva.com/security/advisories?name=…	vendor-advisoryx_refsource_MANDRIVA
	http://advisories.mageia.org/MGASA-2015-0026.html	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.421Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "62718",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62718"
          },
          {
            "name": "FEDORA-2015-0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
          },
          {
            "name": "USN-2469-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2469-1"
          },
          {
            "name": "MDVSA-2015:036",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
          },
          {
            "name": "62285",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62285"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "62309",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62309"
          },
          {
            "name": "MDVSA-2015:109",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
          },
          {
            "name": "FEDORA-2015-0714",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-20T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "62718",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62718"
        },
        {
          "name": "FEDORA-2015-0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
        },
        {
          "name": "USN-2469-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2469-1"
        },
        {
          "name": "MDVSA-2015:036",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
        },
        {
          "name": "62285",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62285"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "name": "62309",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62309"
        },
        {
          "name": "MDVSA-2015:109",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
        },
        {
          "name": "FEDORA-2015-0714",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0220",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62718",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62718"
            },
            {
              "name": "FEDORA-2015-0804",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
            },
            {
              "name": "USN-2469-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2469-1"
            },
            {
              "name": "MDVSA-2015:036",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
            },
            {
              "name": "62285",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62285"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "62309",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62309"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
              "refsource": "CONFIRM",
              "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
            },
            {
              "name": "FEDORA-2015-0714",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-0220",
    "datePublished": "2015-01-16T16:00:00.000Z",
    "dateReserved": "2014-11-18T00:00:00.000Z",
    "dateUpdated": "2024-08-06T04:03:10.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

PYSEC-2015-5

Vulnerability from pysec - Published: 2015-01-16 16:59 - Updated: 2021-07-05 00:01

Details

Impacted products

Name	purl
django	pkg:pypi/django

Aliases

CVE-2015-0220

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django",
        "purl": "pkg:pypi/django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.18"
            },
            {
              "introduced": "1.5"
            },
            {
              "fixed": "1.6.10"
            },
            {
              "introduced": "1.7"
            },
            {
              "fixed": "1.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.1",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.7",
        "1.3",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4",
        "1.4.1",
        "1.4.10",
        "1.4.11",
        "1.4.12",
        "1.4.13",
        "1.4.14",
        "1.4.15",
        "1.4.16",
        "1.4.17",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5",
        "1.5.1",
        "1.5.10",
        "1.5.11",
        "1.5.12",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "1.5.7",
        "1.5.8",
        "1.5.9",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7",
        "1.7.1",
        "1.7.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2015-0220"
  ],
  "details": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
  "id": "PYSEC-2015-5",
  "modified": "2021-07-05T00:01:19.540383Z",
  "published": "2015-01-16T16:59:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/62285"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/62309"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-2469-1"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/62718"
    },
    {
      "type": "ADVISORY",
      "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
    }
  ]
}

FKIE_CVE-2015-0220

Vulnerability from fkie_nvd - Published: 2015-01-16 16:59 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://advisories.mageia.org/MGASA-2015-0026.html
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
secalert@redhat.com	http://secunia.com/advisories/62285
secalert@redhat.com	http://secunia.com/advisories/62309
secalert@redhat.com	http://secunia.com/advisories/62718
secalert@redhat.com	http://ubuntu.com/usn/usn-2469-1
secalert@redhat.com	http://www.mandriva.com/security/advisories?name=MDVSA-2015:036
secalert@redhat.com	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109
secalert@redhat.com	https://www.djangoproject.com/weblog/2015/jan/13/security/	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://advisories.mageia.org/MGASA-2015-0026.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62285
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62309
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62718
af854a3a-2127-422b-91ae-364da2661108	http://ubuntu.com/usn/usn-2469-1
af854a3a-2127-422b-91ae-364da2661108	http://www.mandriva.com/security/advisories?name=MDVSA-2015:036
af854a3a-2127-422b-91ae-364da2661108	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109
af854a3a-2127-422b-91ae-364da2661108	https://www.djangoproject.com/weblog/2015/jan/13/security/	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
canonical	ubuntu_linux	10.04
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	14.10
djangoproject	django	*
djangoproject	django	1.6
djangoproject	django	1.6.1
djangoproject	django	1.6.2
djangoproject	django	1.6.3
djangoproject	django	1.6.4
djangoproject	django	1.6.5
djangoproject	django	1.6.6
djangoproject	django	1.6.7
djangoproject	django	1.6.8
djangoproject	django	1.6.9
djangoproject	django	1.7
djangoproject	django	1.7.1
djangoproject	django	1.7.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:lts:*:*:*:*:*",
              "matchCriteriaId": "823E02CA-A145-46C2-BC4C-16DECB060B19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:lts:*:*:*:*:*",
              "matchCriteriaId": "E685F933-7C10-49B6-9F4B-89478AF51761",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "49A63F39-30BE-443F-AF10-6245587D3359",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E636F6CA-1979-43DA-A12F-23EC009B4A65",
              "versionEndIncluding": "1.4.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "5463AB51-6088-473A-BB54-BB78ACFC6DCA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CC369A0-0092-450D-91E9-13C7AF7EBC16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B6B7974-ABEF-4E0C-8503-6E9C22D28C78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "55460F1D-661B-465C-8A22-E4E6DA2834B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FD4FB46-3A98-4B9B-A241-C39E2C2A0FEC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF87FDAB-51A2-41C4-A4C4-5180B0230C3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E8431B-FEA1-4D94-B367-56E8678C3CD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "81E7779A-EDB9-4871-8D7C-63C5A7C7A0DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABB56113-5E66-4EE9-B551-FD40C2FE307B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2985241-279F-46AC-8BBF-DF2F439FE720",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "72653EB4-CE19-42FC-9C99-5CB391DABE7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "06513AE1-11E4-4A9C-BDA4-D0511A9DCFC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6004EA17-A2B4-4E4C-A738-210FCAC2CA32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n django.util.http.is_safe_url en Django anterior a 1.4.18, 1.6.x anterior a 1.6.10, y 1.7.x anterior a 1.7.3 no maneja correctamente los espacios en blanco l\u00edder, lo que permite a atacantes remotos realizar ataques de XSS a trav\u00e9s de una URL manipulada, relacionado con redirigir URLs, tal y como fue demostrado por una URL \u0027\\njavascript:\u0027."
    }
  ],
  "id": "CVE-2015-0220",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2015-01-16T16:59:19.563",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/62285"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/62309"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/62718"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://ubuntu.com/usn/usn-2469-1"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62285"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62309"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62718"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://ubuntu.com/usn/usn-2469-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2015-0220

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2015-0220

Aliases

CVE-2015-0220

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-0220",
    "description": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
    "id": "GSD-2015-0220",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-0220.html",
      "https://www.debian.org/security/2015/dsa-3151",
      "https://ubuntu.com/security/CVE-2015-0220",
      "https://advisories.mageia.org/CVE-2015-0220.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-0220"
      ],
      "details": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
      "id": "GSD-2015-0220",
      "modified": "2023-12-13T01:19:58.767987Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-0220",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "62718",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/62718"
          },
          {
            "name": "FEDORA-2015-0804",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
          },
          {
            "name": "USN-2469-1",
            "refsource": "UBUNTU",
            "url": "http://ubuntu.com/usn/usn-2469-1"
          },
          {
            "name": "MDVSA-2015:036",
            "refsource": "MANDRIVA",
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
          },
          {
            "name": "62285",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/62285"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
            "refsource": "CONFIRM",
            "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "62309",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/62309"
          },
          {
            "name": "MDVSA-2015:109",
            "refsource": "MANDRIVA",
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          },
          {
            "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
            "refsource": "CONFIRM",
            "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
          },
          {
            "name": "FEDORA-2015-0714",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.4.18||\u003e=1.6.0,\u003c1.6.10||\u003e=1.7.0,\u003c1.7.3",
          "affected_versions": "All versions before 1.4.18, all versions starting from 1.6.0 before 1.6.10, all versions starting from 1.7.0 before 1.7.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-08-12",
          "description": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.",
          "fixed_versions": [
            "1.4.18",
            "1.6.10",
            "1.7.3"
          ],
          "identifier": "CVE-2015-0220",
          "identifiers": [
            "GHSA-gv98-g628-m9x5",
            "CVE-2015-0220"
          ],
          "not_impacted": "All versions starting from 1.4.18 before 1.6.0, all versions starting from 1.6.10 before 1.7.0, all versions starting from 1.7.3",
          "package_slug": "pypi/Django",
          "pubdate": "2022-05-17",
          "solution": "Upgrade to versions 1.4.18, 1.6.10, 1.7.3 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-0220",
            "https://www.djangoproject.com/weblog/2015/jan/13/security/",
            "http://advisories.mageia.org/MGASA-2015-0026.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html",
            "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html",
            "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html",
            "http://ubuntu.com/usn/usn-2469-1",
            "https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758",
            "https://github.com/django/django/commit/72e0b033662faa11bb7f516f18a132728aa0ae28",
            "https://github.com/django/django/commit/de67dedc771ad2edec15c1d00c083a1a084e1e89",
            "https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.4.18.txt#L34-L46",
            "https://web.archive.org/web/20150128111656/http://secunia.com/advisories/62285",
            "https://web.archive.org/web/20150523054951/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:109/?name=MDVSA-2015:109",
            "https://web.archive.org/web/20150523054953/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:036/?name=MDVSA-2015:036",
            "https://web.archive.org/web/20151104201446/http://secunia.com/advisories/62718",
            "https://github.com/advisories/GHSA-gv98-g628-m9x5"
          ],
          "uuid": "07154f71-d680-41b6-9e71-b653a77c1153"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:lts:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:lts:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.4.17",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0220"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62285",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/62285"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
            },
            {
              "name": "62309",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/62309"
            },
            {
              "name": "USN-2469-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://ubuntu.com/usn/usn-2469-1"
            },
            {
              "name": "62718",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/62718"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
            },
            {
              "name": "MDVSA-2015:036",
              "refsource": "MANDRIVA",
              "tags": [],
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "tags": [],
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "FEDORA-2015-0714",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
            },
            {
              "name": "FEDORA-2015-0804",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2016-12-22T02:59Z",
      "publishedDate": "2015-01-16T16:59Z"
    }
  }
}

CNVD-2015-00389

Vulnerability from cnvd - Published: 2015-01-19

Title

Django 'django.util.http.is_safe_url()'跨站脚本漏洞

Description

Django是一个由Python写成开放源代码的Web应用框架。 Django 'django.util.http.is_safe_url()'存在跨站脚本漏洞，因为它未能正确过滤用户提供的输入。攻击者可能会利用此问题在受影响站点的上下文的不知情用户的浏览器中执行任意脚本代码。

Severity

中

Patch Name

Django 'django.util.http.is_safe_url()'跨站脚本漏洞的补丁

Patch Description

Django是一个由Python写成开放源代码的Web应用框架。 Django 'django.util.http.is_safe_url()'存在跨站脚本漏洞，因为它未能正确过滤用户提供的输入。攻击者可能会利用此问题在受影响站点的上下文的不知情用户的浏览器中执行任意脚本代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://www.djangoproject.com/

Reference

http://www.securityfocus.com/bid/72079

Impacted products

Name
Django Software Foundation Django

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "72079"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-0220"
    }
  },
  "description": "Django\u662f\u4e00\u4e2a\u7531Python\u5199\u6210\u5f00\u653e\u6e90\u4ee3\u7801\u7684Web\u5e94\u7528\u6846\u67b6\u3002 \r\n\r\nDjango \u0027django.util.http.is_safe_url()\u0027\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u56e0\u4e3a\u5b83\u672a\u80fd\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u5229\u7528\u6b64\u95ee\u9898\u5728\u53d7\u5f71\u54cd\u7ad9\u70b9\u7684\u4e0a\u4e0b\u6587\u7684\u4e0d\u77e5\u60c5\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002",
  "discovererName": "Mikko Ohtamaa",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://www.djangoproject.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00389",
  "openTime": "2015-01-19",
  "patchDescription": "Django\u662f\u4e00\u4e2a\u7531Python\u5199\u6210\u5f00\u653e\u6e90\u4ee3\u7801\u7684Web\u5e94\u7528\u6846\u67b6\u3002\r\nDjango \u0027django.util.http.is_safe_url()\u0027\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u56e0\u4e3a\u5b83\u672a\u80fd\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u5229\u7528\u6b64\u95ee\u9898\u5728\u53d7\u5f71\u54cd\u7ad9\u70b9\u7684\u4e0a\u4e0b\u6587\u7684\u4e0d\u77e5\u60c5\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Django \u0027django.util.http.is_safe_url()\u0027\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Django Software Foundation Django"
  },
  "referenceLink": "http://www.securityfocus.com/bid/72079",
  "serverity": "\u4e2d",
  "submitTime": "2015-01-16",
  "title": "Django \u0027django.util.http.is_safe_url()\u0027\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

GHSA-GV98-G628-M9X5

Vulnerability from github – Published: 2022-05-17 03:20 – Updated: 2024-09-18 19:55

Summary

Django Cross-site Scripting Vulnerability

Details

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \njavascript: URL.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6"
            },
            {
              "fixed": "1.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7"
            },
            {
              "fixed": "1.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-0220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T21:14:30Z",
    "nvd_published_at": "2015-01-16T16:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The `django.util.http.is_safe_url` function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a `\\njavascript:` URL.",
  "id": "GHSA-gv98-g628-m9x5",
  "modified": "2024-09-18T19:55:30Z",
  "published": "2022-05-17T03:20:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/72e0b033662faa11bb7f516f18a132728aa0ae28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/de67dedc771ad2edec15c1d00c083a1a084e1e89"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.4.18.txt#L34-L46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-5.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150128111656/http://secunia.com/advisories/62285"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150523054951/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:109/?name=MDVSA-2015:109"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150523054953/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:036/?name=MDVSA-2015:036"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20151104201446/http://secunia.com/advisories/62718"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2015/jan/13/security"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-2469-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django Cross-site Scripting Vulnerability"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-0220 (GCVE-0-2015-0220)

PYSEC-2015-5

FKIE_CVE-2015-0220

GSD-2015-0220

CNVD-2015-00389

GHSA-GV98-G628-M9X5

Tags

Sightings

Nomenclature