CVE-2012-3442
Published: 31 July 2012
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
Notes
Author | Note |
---|---|
mdeslaur | possible regression, see LP: #1031733 |
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(1.1.1-2ubuntu1.5)
|
|
natty |
Released
(1.2.5-1ubuntu1.2)
|
|
oneiric |
Released
(1.3-2ubuntu1.3)
|
|
precise |
Released
(1.3.1-4ubuntu1.2)
|
|
upstream |
Released
(1.3.2,1.4.1)
|
|
Patches: vendor: http://www.debian.org/security/2012/dsa-2529 upstream: https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d upstream: https://github.com/django/django/commit/d0d5dc6cd76f01c8a71b677357ad2f702cb54416 |
References
- https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
- http://www.openwall.com/lists/oss-security/2012/07/31/1
- http://www.openwall.com/lists/oss-security/2012/07/31/2
- https://ubuntu.com/security/notices/USN-1560-1
- https://www.cve.org/CVERecord?id=CVE-2012-3442
- NVD
- Launchpad
- Debian