Description
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
Remediation
References
Related Vulnerabilities
Apache HTTP Server NULL Pointer Dereference Vulnerability (CVE-2021-41524)
WordPress Plugin WP Simple Booking Calendar SQL Injection (2.0.6)
Plone CMS Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-5500)
PHP Other Vulnerability (CVE-2006-3017)
WordPress Plugin Duplicator-WordPress Migration Cross-Site Scripting (1.2.32)