Arch Linux Security Advisory ASA-201704-1 ========================================= Severity: Medium Date : 2017-04-06 CVE-ID : CVE-2017-7233 CVE-2017-7234 Package : python2-django Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-233 Summary ======= The package python2-django before version 1.11-1 is vulnerable to multiple issues including cross-site scripting and open redirect. Resolution ========== Upgrade to 1.11-1. # pacman -Syu "python2-django>=1.11-1" The problems have been fixed upstream in version 1.11. Workaround ========== None. Description =========== - CVE-2017-7233 (cross-site scripting) Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) “safe” when they shouldn’t be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. - CVE-2017-7234 (open redirect) A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Impact ====== A remote attacker is able to use a specially crafted numeric-URL to execute arbitrary javascript on the client's machine and craft a malious URL to a Django site which could redirect to any other domain. References ========== https://docs.djangoproject.com/en/dev/releases/1.11 https://security.archlinux.org/CVE-2017-7233 https://security.archlinux.org/CVE-2017-7234