Description: Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames
Two vulnerabilities were reported in Django. A remote user can redirect the target user's browser to an arbitrary site. A remote user can determine valid usernames on the target system. A remote user can conduct cross-site scripting attacks.
django.utils.http.is_safe_url() function does not properly detect unsafe URLs. A remote user can create a URL that, when loaded by the target user, will redirect the target user's browser to an arbitrary site [
Affected Versions: prior to versions 1.8.10, 1.9.3
Impact: A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (1.8.10, 1.9.3).