CVE-2011-0697: XSS
First published: Wed Feb 09 2011(Updated: )
<a href="http://www.djangoproject.com/weblog/2011/feb/08/security/">http://www.djangoproject.com/weblog/2011/feb/08/security/</a> Django's form system includes form fields and widgets for performing file uploads; in rendering these fields, the name of the file currently stored in the field is displayed. In the process of rendering, the filename is displayed without being escaped, as reported by Trac user "e.generalov". In many cases this does not result in a cross-site-scripting vulnerability, as file-storage backends can and are encouraged to (and the default backends provided with Django do) sanitize the supplied filename according to their requirements. However, the risk of a vulnerability appearing in a backend which does not sanitize, or which performs insufficient sanitization, is such that Django will now automatically escape filenames in form rendering.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Djangoproject Django | =1.1.2 | |
| Djangoproject Django | =1.1 | |
| Djangoproject Django | =1.1.3 | |
| Djangoproject Django | =1.1.0 | |
| Djangoproject Django | =1.2.1 | |
| Djangoproject Django | =1.2.4 | |
| Djangoproject Django | =1.2.3 | |
| Djangoproject Django | =1.2 | |
| Djangoproject Django | =1.2.2 | |
| pip/Django | >=1.2<1.2.5 | 1.2.5 |
| pip/Django | >=1.1<1.1.4 | 1.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=676359
- http://openwall.com/lists/oss-security/2011/02/09/6
- http://www.djangoproject.com/weblog/2011/feb/08/security/
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:031
- http://www.ubuntu.com/usn/USN-1066-1
- http://secunia.com/advisories/43230
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html
- http://secunia.com/advisories/43297
- http://www.debian.org/security/2011/dsa-2163
- http://www.vupen.com/english/advisories/2011/0439
- http://www.vupen.com/english/advisories/2011/0388
- http://www.vupen.com/english/advisories/2011/0372
- http://www.vupen.com/english/advisories/2011/0429
- http://www.securityfocus.com/bid/46296
- http://secunia.com/advisories/43382
- http://secunia.com/advisories/43426
- http://www.vupen.com/english/advisories/2011/0441
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=676360
- https://nvd.nist.gov/vuln/detail/CVE-2011-0697
- https://github.com/advisories/GHSA-8m3r-rv5g-fcpq (Advisory)
- https://github.com/django/django/commit/1966786d2dde73e17f39cf340eb33fcb5d73904e
- https://github.com/django/django/commit/1f814a9547842dcfabdae09573055984af9d3fab
- https://github.com/django/django/commit/90be6ca20d607977dec234ec972b77b83955749b
- https://github.com/django/django/commit/a9cf3d23724ff6918103e86aa863eadd1fab811d
- http://www.djangoproject.com/weblog/2011/feb/08/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-11.yaml
- https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230
- https://web.archive.org/web/20110521033304/http://secunia.com/advisories/43297
- https://web.archive.org/web/20110521033309/http://secunia.com/advisories/43382
- https://web.archive.org/web/20110521033314/http://secunia.com/advisories/43426
- https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296
Frequently Asked Questions
What is the severity of CVE-2011-0697?
The severity of CVE-2011-0697 is classified as medium due to potential exposure of sensitive file information.
How do I fix CVE-2011-0697?
To fix CVE-2011-0697, upgrade Django to version 1.2.5 or later, or 1.1.4 or later.
What versions of Django are affected by CVE-2011-0697?
CVE-2011-0697 affects Django versions 1.1 through 1.2.4 inclusively.
What type of vulnerability is CVE-2011-0697?
CVE-2011-0697 is a flaw in the file upload handling within Django's form system.
Is there a workaround for CVE-2011-0697?
There is no well-documented workaround for CVE-2011-0697 other than upgrading to a fixed version.
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-0697
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8m3r-rv5g-fcpq
- agent/references
- agent/severity
- agent/last-modified-date
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- agent/tags
- agent/source
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.1.2
- version/djangoproject django/1.1
- version/djangoproject django/1.1.3
- version/djangoproject django/1.1.0
- version/djangoproject django/1.2.1
- version/djangoproject django/1.2.4
- version/djangoproject django/1.2.3
- version/djangoproject django/1.2
- version/djangoproject django/1.2.2
- package-manager/pip