Django security releases v.1.10.7, v.1.9.13, v.1.8.18

Posted on Posted in Django

Description: Django team has issued Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below.

Issues fixed:

  • Open redirect and possible XSS attack via user-supplied numeric redirect URLs - Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL.
  • Open redirect vulnerability in django.views.static.serve() - A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain.

Affected versions: v.1.10.x, v.1.9.x, v.1.8.x

Recommended action: upgrade as soon as possible

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *