Description: Django team has issued Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below.
- Open redirect and possible XSS attack via user-supplied numeric redirect URLs - Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL.
- Open redirect vulnerability in
django.views.static.serve()- A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain.
Affected versions: v.1.10.x, v.1.9.x, v.1.8.x
Recommended action: upgrade as soon as possible