The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Djangoproject
  • Django
Fedoraproject
  • Fedora
Opensuse
  • Opensuse
Oracle
  • Solaris

Configuration 1 [-]

OR cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.8:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.9:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.10:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.11:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.5.12:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.5:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.6:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.7:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.8:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.9:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.6.10:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:beta4:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:rc1:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:rc2:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7:rc3:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7.4:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7.5:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.7.6:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

No data.

References
Link Providers
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html cve-icon cve-icon
http://ubuntu.com/usn/usn-2539-1 cve-icon cve-icon
http://www.debian.org/security/2015/dsa-3204 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2015:195 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html cve-icon cve-icon
http://www.securityfocus.com/bid/73319 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2015-2317 cve-icon
https://www.cve.org/CVERecord?id=CVE-2015-2317 cve-icon
https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ cve-icon cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-03-25T14:00:00

Updated: 2024-08-06T05:10:16.267Z

Reserved: 2015-03-17T00:00:00

Link: CVE-2015-2317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2015-03-25T14:59:04.377

Modified: 2018-10-30T16:27:35.843

Link: CVE-2015-2317

cve-icon Redhat

Severity : Low

Publid Date: 2015-03-18T00:00:00Z

Links: CVE-2015-2317 - Bugzilla