GHSA-78vx-ggch-wghm

Source

https://github.com/advisories/GHSA-78vx-ggch-wghm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-78vx-ggch-wghm

Aliases

Published

2022-05-17T05:12:01Z

Modified

2024-11-26T05:32:40.664477Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Django Allows Redirect via Data URL

Details

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

Database specific

{
    "nvd_published_at": "2012-07-31T17:55:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed_at": "2023-08-29T21:47:28Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.2

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.3

1.3.1

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.4

Fixed

1.4.1

Affected versions

1.*

1.4