CVE-2012-3442

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
djangoprojectdjango
𝑥
≤ 1.3
djangoprojectdjango
0.95
djangoprojectdjango
0.96
djangoprojectdjango
1.0
djangoprojectdjango
1.0:alpha1
djangoprojectdjango
1.0:alpha2
djangoprojectdjango
1.0:beta
djangoprojectdjango
1.0:beta2
djangoprojectdjango
1.0.1
djangoprojectdjango
1.0.2
djangoprojectdjango
1.1
djangoprojectdjango
1.1:alpha1
djangoprojectdjango
1.1:beta1
djangoprojectdjango
1.1:rc1
djangoprojectdjango
1.1.2
djangoprojectdjango
1.1.3
djangoprojectdjango
1.1.4
djangoprojectdjango
1.2
djangoprojectdjango
1.2:beta1
djangoprojectdjango
1.2:rc1
djangoprojectdjango
1.2-alpha1
djangoprojectdjango
1.2.2
djangoprojectdjango
1.2.4
djangoprojectdjango
1.2.5
djangoprojectdjango
1.2.6
djangoprojectdjango
1.2.7
djangoprojectdjango
1.3:alpha1
djangoprojectdjango
1.3:beta1
djangoprojectdjango
1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bullseye (security)
2:2.2.28-1~deb11u2
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
precise
Fixed 1.3.1-4ubuntu1.2
released
oneiric
Fixed 1.3-2ubuntu1.3
released
natty
Fixed 1.2.5-1ubuntu1.2
released
lucid
Fixed 1.1.1-2ubuntu1.5
released
hardy
ignored
Common Weakness Enumeration
References
http://www.debian.org/security/2012/dsa-2529
http://www.mandriva.com/security/advisories?name=MDVSA-2012:143
http://www.openwall.com/lists/oss-security/2012/07/31/1
http://www.openwall.com/lists/oss-security/2012/07/31/2
http://www.ubuntu.com/usn/USN-1560-1
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
http://www.debian.org/security/2012/dsa-2529
http://www.mandriva.com/security/advisories?name=MDVSA-2012:143
http://www.openwall.com/lists/oss-security/2012/07/31/1
http://www.openwall.com/lists/oss-security/2012/07/31/2
http://www.ubuntu.com/usn/USN-1560-1
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/