6.1

CVE-2017-7233

EPSS 0.75%
Published 04.04.2017 17:59:00
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Djangoproject ≫ Django Version1.8.0

Djangoproject ≫ Django Version1.8.0 Updatea1

Djangoproject ≫ Django Version1.8.0 Updateb1

Djangoproject ≫ Django Version1.8.0 Updateb2

Djangoproject ≫ Django Version1.8.0 Updatec1

Djangoproject ≫ Django Version1.8.1

Djangoproject ≫ Django Version1.8.2

Djangoproject ≫ Django Version1.8.3

Djangoproject ≫ Django Version1.8.4

Djangoproject ≫ Django Version1.8.5

Djangoproject ≫ Django Version1.8.6

Djangoproject ≫ Django Version1.8.7

Djangoproject ≫ Django Version1.8.8

Djangoproject ≫ Django Version1.8.9

Djangoproject ≫ Django Version1.8.10

Djangoproject ≫ Django Version1.8.11

Djangoproject ≫ Django Version1.8.12

Djangoproject ≫ Django Version1.8.13

Djangoproject ≫ Django Version1.8.14

Djangoproject ≫ Django Version1.8.15

Djangoproject ≫ Django Version1.8.16

Djangoproject ≫ Django Version1.8.17

Djangoproject ≫ Django Version1.9

Djangoproject ≫ Django Version1.9 Updatea1

Djangoproject ≫ Django Version1.9 Updateb1

Djangoproject ≫ Django Version1.9 Updaterc1

Djangoproject ≫ Django Version1.9 Updaterc2

Djangoproject ≫ Django Version1.9.1

Djangoproject ≫ Django Version1.9.2

Djangoproject ≫ Django Version1.9.3

Djangoproject ≫ Django Version1.9.4

Djangoproject ≫ Django Version1.9.5

Djangoproject ≫ Django Version1.9.6

Djangoproject ≫ Django Version1.9.7

Djangoproject ≫ Django Version1.9.8

Djangoproject ≫ Django Version1.9.9

Djangoproject ≫ Django Version1.9.10

Djangoproject ≫ Django Version1.9.11

Djangoproject ≫ Django Version1.9.12

Djangoproject ≫ Django Version1.10.0

Djangoproject ≫ Django Version1.10.0 Updatea1

Djangoproject ≫ Django Version1.10.0 Updateb1

Djangoproject ≫ Django Version1.10.0 Updaterc1

Djangoproject ≫ Django Version1.10.1

Djangoproject ≫ Django Version1.10.2

Djangoproject ≫ Django Version1.10.3

Djangoproject ≫ Django Version1.10.4

Djangoproject ≫ Django Version1.10.5

Djangoproject ≫ Django Version1.10.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.75%	0.721

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://access.redhat.com/errata/RHSA-2018:2927

http://www.debian.org/security/2017/dsa-3835

http://www.securityfocus.com/bid/97406

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1038177

https://access.redhat.com/errata/RHSA-2017:1445

https://access.redhat.com/errata/RHSA-2017:1451

https://access.redhat.com/errata/RHSA-2017:1462

https://access.redhat.com/errata/RHSA-2017:1470

https://access.redhat.com/errata/RHSA-2017:1596

https://access.redhat.com/errata/RHSA-2017:3093

https://www.djangoproject.com/weblog/2017/apr/04/security-releases/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-7233

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-7233

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-7233

EUVD