CVE-2017-7233 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-7233 Interim 1 23 2023-03-21T01:41:55Z current 2021-05-30T13:54:19Z 2023-03-21T01:41:55Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-7233 Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2018-April/003895.html E-Mail link for SUSE-SU-2018:0973-1 https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html E-Mail link for SUSE-SU-2018:1102-1 https://lists.opensuse.org/opensuse-updates/2018-03/msg00024.html E-Mail link for openSUSE-SU-2018:0632-1 https://lists.opensuse.org/opensuse-updates/2018-03/msg00103.html E-Mail link for openSUSE-SU-2018:0824-1 https://lists.opensuse.org/opensuse-updates/2018-03/msg00105.html E-Mail link for openSUSE-SU-2018:0826-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGS4NP24275NERRPQV6A6EONV6W3C2SK/ E-Mail link for openSUSE-SU-2023:0077-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE Package Hub 12 SUSE Package Hub 12 SP1 openSUSE Tumbleweed python-Django-1.11.10-5.1 python-Django-1.11.15-2.1 python-Django-1.8.19-3.4.1 python-Django-1.8.19-3.6.1 python36-Django-3.2.7-2.3 python38-Django-3.2.7-2.3 python39-Django-3.2.7-2.3 python-Django-1.8.19-3.6.1 as a component of SUSE OpenStack Cloud 6 python-Django-1.8.19-3.4.1 as a component of SUSE OpenStack Cloud 7 python-Django-1.11.10-5.1 as a component of SUSE Package Hub 12 python-Django-1.11.15-2.1 as a component of SUSE Package Hub 12 SP1 python36-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python38-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python39-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2017-7233 SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1 SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1 SUSE Package Hub 12:python-Django-1.11.10-5.1 SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1 openSUSE Tumbleweed:python36-Django-3.2.7-2.3 openSUSE Tumbleweed:python38-Django-3.2.7-2.3 openSUSE Tumbleweed:python39-Django-3.2.7-2.3 low 4 AV:N/AC:H/Au:N/C:P/I:P/A:N 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N