Django: CSS attacks

Posted on Posted in Django

Description: Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames

Two vulnerabilities were reported in Django. A remote user can redirect the target user's browser to an arbitrary site. A remote user can determine valid usernames on the target system. A remote user can conduct cross-site scripting attacks.

The django.utils.http.is_safe_url() function does not properly detect unsafe URLs. A remote user can create a URL that, when loaded by the target user, will redirect the target user's browser to an arbitrary site [CVE-2016-2512].

Affected Versions: prior to versions 1.8.10, 1.9.3

Impact: A remote user can cause the target user's browser to be redirected to an arbitrary web site.

Solution: The vendor has issued a fix (1.8.10, 1.9.3).

CVE Reference:  

Origin links:

Leave a Reply

Your email address will not be published. Required fields are marked *