Description
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1038177
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97401
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3835
Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
Scores
CVSS v3
6.1
EPSS
0.0183
EPSS Percentile
76.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (39)
djangoproject/django
1.8.0 (5 CPE variants)
djangoproject/django
1.8.1
djangoproject/django
1.8.2
djangoproject/django
1.8.3
djangoproject/django
1.8.4
djangoproject/django
1.8.5
djangoproject/django
1.8.6
djangoproject/django
1.8.7
djangoproject/django
1.8.8
djangoproject/django
1.8.9
... and 29 more
Published
Apr 04, 2017
Tracked Since
Feb 18, 2026