DSA-2740-1 python-django -- cross-site scripting vulnerabilityID: oval:org.secpod.oval:def:601088 | Date: (C)2013-09-25 (M)2022-10-10 |
Class: PATCH | Family: unix |
Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The is_safe_url utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed querystrings, worked as intended for HTTP and HTTPS URLs, but permitted redirects to other schemes, such as javascript:. The is_safe_url function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes.
Platform: |
Debian 7.0 |
Debian 6.0 |