Django 'django.contrib.auth.views.login()' Function Open Redirection Vulnerability



Django is prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Versions prior to Django 1.10.7, 1.9.13, and 1.8.18 are vulnerable.

Information

Bugtraq ID: 97406
Class: Input Validation Error
CVE: CVE-2017-7233

Remote: Yes
Local: No
Published: Apr 05 2017 12:00AM
Credit: The vendor reported this issue.
Vulnerable: Djangoproject Django 1.10.6
Djangoproject Django 1.10.5
Djangoproject Django 1.10.3
Djangoproject Django 1.10.2
Djangoproject Django 1.10.1
Djangoproject Django 1.9.12
Djangoproject Django 1.9.11
Djangoproject Django 1.9.10
Djangoproject Django 1.9.9
Djangoproject Django 1.9.3
Djangoproject Django 1.8.16
Djangoproject Django 1.8.15
Djangoproject Django 1.8.14
Djangoproject Django 1.8.10
Djangoproject Django 1.8.7
Djangoproject Django 1.8.6
Djangoproject Django 1.8.5
Djangoproject Django 1.8.4
Djangoproject Django 1.8.3
Djangoproject Django 1.8.2
Djangoproject Django 1.8.1
Djangoproject Django 1.8
Djangoproject Django 1.9.2
Djangoproject Django 1.9.1
Djangoproject Django 1.9
Djangoproject Django 1.10


Not Vulnerable: Djangoproject Django 1.10.7
Djangoproject Django 1.9.13
Djangoproject Django 1.8.18


Exploit


An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.


Related Posts