CVE-2015-2317

Publication date 19 March 2015

Last updated 24 July 2024

Ubuntu priority

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-django	14.10 utopic	Fixed 1.6.6-1ubuntu2.2
	14.04 LTS trusty	Fixed 1.6.1-2ubuntu0.8
	12.04 LTS precise	Fixed 1.3.1-4ubuntu1.16
	10.04 LTS lucid	Fixed 1.1.1-2ubuntu1.17

How can I get the fixes?
What do statuses mean?
Patch details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-django	Upstream: 2a4113d Upstream: 5510f07 Upstream: 2342693

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2539-1
Django vulnerabilities
23 March 2015

Other references

https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
https://www.cve.org/CVERecord?id=CVE-2015-2317