CVE-2015-2317

Related Files

Mandriva Linux Security Advisory 2015-195

Posted Apr 7, 2015

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-195 - The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. The updated packages provides a solution for this security issue.

tags | advisory, remote, web, xss

systems | linux, mandriva

advisories | CVE-2015-2317

SHA-256 | da29353ee6e69007158c2009f13b3d836eda48a2560df0d4f7ba8c8fd7386594

Download | Favorite | View

Ubuntu Security Notice USN-2539-1

Posted Mar 23, 2015

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2539-1 - Andrey Babak discovered that Django incorrectly handled strip_tags. A remote attacker could possibly use this issue to cause Django to enter an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. Daniel Chatfield discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack. Various other issues were also addressed.

tags | advisory, remote, denial of service, xss

systems | linux, ubuntu

advisories | CVE-2015-2316, CVE-2015-2317

SHA-256 | 53680626ecb8e98f0161296b291449a4aafee68328f4c80fd4a94fb42720042a

Download | Favorite | View