4.3

CVE-2012-3442

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

Data is provided by the National Vulnerability Database (NVD)
DjangoprojectDjango Version <= 1.3
DjangoprojectDjango Version0.95
DjangoprojectDjango Version0.96
DjangoprojectDjango Version1.0
DjangoprojectDjango Version1.0 Updatealpha1
DjangoprojectDjango Version1.0 Updatealpha2
DjangoprojectDjango Version1.0 Updatebeta
DjangoprojectDjango Version1.0 Updatebeta2
DjangoprojectDjango Version1.0.1
DjangoprojectDjango Version1.0.2
DjangoprojectDjango Version1.1
DjangoprojectDjango Version1.1 Updatealpha1
DjangoprojectDjango Version1.1 Updatebeta1
DjangoprojectDjango Version1.1 Updaterc1
DjangoprojectDjango Version1.1.2
DjangoprojectDjango Version1.1.3
DjangoprojectDjango Version1.1.4
DjangoprojectDjango Version1.2
DjangoprojectDjango Version1.2 Updatebeta1
DjangoprojectDjango Version1.2 Updaterc1
DjangoprojectDjango Version1.2-alpha1
DjangoprojectDjango Version1.2.2
DjangoprojectDjango Version1.2.4
DjangoprojectDjango Version1.2.5
DjangoprojectDjango Version1.2.6
DjangoprojectDjango Version1.2.7
DjangoprojectDjango Version1.3 Updatealpha1
DjangoprojectDjango Version1.3 Updatebeta1
DjangoprojectDjango Version1.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.44% 0.603
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.