Description

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

Remediation

References

CVE-2012-3442

Related Vulnerabilities

Oracle Application Server Other Vulnerability (CVE-2006-5353)

WordPress Plugin WP Ultimate Exporter SQL Injection (1.1)

WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.18)

WordPress Plugin Hunk External Links Cross-Site Scripting (3.0.5)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-26477)

Severity

Medium

Classification

CVE-2012-3442 CWE-707

Tags

Missing Update Known Vulnerabilities