Description

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

Remediation

References

CVE-2012-3442

Related Vulnerabilities

WordPress Plugin Mailing List 'wpabspath' Parameter Remote File Include (1.3.3)

YOURLS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-3783)

WordPress Plugin External 'Video for Everybody' Cross-Site Scripting (2.0)

Oracle Database Server Other Vulnerability (CVE-2007-3859)

PHP Use of Password Hash With Insufficient Computational Effort Vulnerability (CVE-2023-0567)

Severity

Medium

Classification

CVE-2012-3442 CWE-707

Tags

Missing Update Known Vulnerabilities