Django is prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Versions prior to Django 1.10.7, 1.9.13, and 1.8.18 are vulnerable.
Information
Djangoproject Django 1.10.5
Djangoproject Django 1.10.3
Djangoproject Django 1.10.2
Djangoproject Django 1.10.1
Djangoproject Django 1.9.12
Djangoproject Django 1.9.11
Djangoproject Django 1.9.10
Djangoproject Django 1.9.9
Djangoproject Django 1.9.3
Djangoproject Django 1.8.16
Djangoproject Django 1.8.15
Djangoproject Django 1.8.14
Djangoproject Django 1.8.10
Djangoproject Django 1.8.7
Djangoproject Django 1.8.6
Djangoproject Django 1.8.5
Djangoproject Django 1.8.4
Djangoproject Django 1.8.3
Djangoproject Django 1.8.2
Djangoproject Django 1.8.1
Djangoproject Django 1.8
Djangoproject Django 1.9.2
Djangoproject Django 1.9.1
Djangoproject Django 1.9
Djangoproject Django 1.10
Djangoproject Django 1.9.13
Djangoproject Django 1.8.18
Exploit
An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.
References:
- Django Homepage (Django)
- Django security releases issued: 1.10.7, 1.9.13, and 1.8.18 (Django)