Vulnerability DatabaseCVE-2016-2512
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2016-2512
April 08, 2016
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com@attacker.com.
Affected Packages
Django (PYTHON):
Affected version(s)
Fix Suggestion:
Update to version 1.9.3
Django (PYTHON):
Affected version(s)
Fix Suggestion:
Update to version 1.8.10
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (21)
http://rhn.redhat.com/errata/RHSA-2016-0506.html
http://www.debian.org/security/2016/dsa-3544
https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0
https://github.com/django/django/commit/fc6d147a63f89795dbcdecb0559256470fff4380
https://web.archive.org/web/20210123090815/http://www.securityfocus.com/bid/83879
https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
https://github.com/django/django
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://nvd.nist.gov/vuln/detail/CVE-2016-2512
http://rhn.redhat.com/errata/RHSA-2016-0504.html
http://www.securitytracker.com/id/1035152
http://www.ubuntu.com/usn/USN-2915-1
http://rhn.redhat.com/errata/RHSA-2016-0505.html
http://www.ubuntu.com/usn/USN-2915-2
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-15.yaml
http://rhn.redhat.com/errata/RHSA-2016-0502.html
https://web.archive.org/web/20210413200202/http://www.securitytracker.com/id/1035152
https://www.djangoproject.com/weblog/2016/mar/01/security-releases
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
http://www.securityfocus.com/bid/83879
http://www.ubuntu.com/usn/USN-2915-3
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
1.20