CVE-2017-7233

Priority
Medium
Description
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies
on user input in some cases to redirect the user to an "on success" URL.
The security check for these redirects (namely
``django.utils.http.is_safe_url()``) considered some numeric URLs "safe"
when they shouldn't be, aka an open redirect vulnerability. Also, if a
developer relies on ``is_safe_url()`` to provide safe redirect targets and
puts such a URL into a link, they could suffer from an XSS attack.
References
Assigned-to
mdeslaur
Package
Upstream:released (1.8.18)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.3.1-4ubuntu1.23)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.6.11-0ubuntu1.1)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (1.8.7-1ubuntu5.5)
Ubuntu 16.10 (Yakkety Yak):released (1.8.7-1ubuntu8.2)
Ubuntu 17.04 (Zesty Zapus):released (1.8.7-1ubuntu11)
More Information

Updated: 2017-04-10 17:14:36 UTC (commit 12367)