What is the severity of CVE-2015-2317?

CVE-2015-2317 has been rated as high severity due to its potential for cross-site scripting (XSS) attacks.

How do I fix CVE-2015-2317?

To fix CVE-2015-2317, upgrade Django to version 1.4.20 or higher, 1.5.11 or higher, 1.6.11 or higher, 1.7.7 or higher, or 1.8c1.

Which versions of Django are affected by CVE-2015-2317?

Django versions prior to 1.4.20, 1.5.x before 1.5.11, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 are affected by CVE-2015-2317.

What is the impact of CVE-2015-2317?

CVE-2015-2317 allows attackers to perform cross-site scripting (XSS) attacks by submitting a specially crafted URL.

Is there a workaround for CVE-2015-2317?

While upgrading is the best solution for CVE-2015-2317, a temporary workaround includes validating user inputs to prevent special characters from being processed.

Vulnerability/
CVE-2015-2317

medium

6.1

CWE

25/3/2015

14/5/2022

18/9/2024

CVE-2015-2317: XSS

First published: Wed Mar 25 2015(Updated: )

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
pip/Django	>=1.8a1<1.8c1	1.8c1
pip/Django	>=1.7<1.7.7	1.7.7
pip/Django	>=1.5<1.6.11	1.6.11
pip/Django	<1.4.20	1.4.20
Debian Debian Linux	=7.0
Fedoraproject Fedora	=22
openSUSE	=13.2
djangoproject Django	<=1.4.19
djangoproject Django	=1.5
djangoproject Django	=1.5-alpha
djangoproject Django	=1.5-beta
djangoproject Django	=1.5.1
djangoproject Django	=1.5.2
djangoproject Django	=1.5.3
djangoproject Django	=1.5.4
djangoproject Django	=1.5.5
djangoproject Django	=1.5.6
djangoproject Django	=1.5.7
djangoproject Django	=1.5.8
djangoproject Django	=1.5.9
djangoproject Django	=1.5.10
djangoproject Django	=1.5.11
djangoproject Django	=1.5.12
djangoproject Django	=1.6
djangoproject Django	=1.6-beta1
djangoproject Django	=1.6-beta2
djangoproject Django	=1.6-beta3
djangoproject Django	=1.6-beta4
djangoproject Django	=1.6.1
djangoproject Django	=1.6.2
djangoproject Django	=1.6.3
djangoproject Django	=1.6.4
djangoproject Django	=1.6.5
djangoproject Django	=1.6.6
djangoproject Django	=1.6.7
djangoproject Django	=1.6.8
djangoproject Django	=1.6.9
djangoproject Django	=1.6.10
djangoproject Django	=1.7-beta1
djangoproject Django	=1.7-beta2
djangoproject Django	=1.7-beta3
djangoproject Django	=1.7-beta4
djangoproject Django	=1.7-rc1
djangoproject Django	=1.7-rc2
djangoproject Django	=1.7-rc3
djangoproject Django	=1.7.1
djangoproject Django	=1.7.2
djangoproject Django	=1.7.3
djangoproject Django	=1.7.4
djangoproject Django	=1.7.5
djangoproject Django	=1.7.6
djangoproject Django	=1.8.0
Oracle Solaris SPARC	=11.2
Ubuntu Linux	=10.04
Ubuntu Linux	=12.04
Ubuntu Linux	=14.04
Ubuntu Linux	=14.10

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2015-2317?
CVE-2015-2317 has been rated as high severity due to its potential for cross-site scripting (XSS) attacks.
How do I fix CVE-2015-2317?
To fix CVE-2015-2317, upgrade Django to version 1.4.20 or higher, 1.5.11 or higher, 1.6.11 or higher, 1.7.7 or higher, or 1.8c1.
Which versions of Django are affected by CVE-2015-2317?
Django versions prior to 1.4.20, 1.5.x before 1.5.11, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 are affected by CVE-2015-2317.
What is the impact of CVE-2015-2317?
CVE-2015-2317 allows attackers to perform cross-site scripting (XSS) attacks by submitting a specially crafted URL.
Is there a workaround for CVE-2015-2317?
While upgrading is the best solution for CVE-2015-2317, a temporary workaround includes validating user inputs to prevent special characters from being processed.

agent/type
agent/description
agent/author
collector/mitre-cve
source/MITRE
agent/event
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-7fq8-4pv5-5w5c
alias/CVE-2015-2317
agent/software-canonical-lookup
agent/severity
agent/references
agent/last-modified-date
collector/github-advisory
agent/trending
agent/source
agent/weakness
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
package-manager/pip
vendor/debian
canonical/debian debian linux
version/debian debian linux/7.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/22
vendor/opensuse
canonical/opensuse
version/opensuse/13.2
vendor/djangoproject
canonical/djangoproject django
version/djangoproject django/1.4.19
version/djangoproject django/1.5
version/djangoproject django/1.5-alpha
version/djangoproject django/1.5-beta
version/djangoproject django/1.5.1
version/djangoproject django/1.5.2
version/djangoproject django/1.5.3
version/djangoproject django/1.5.4
version/djangoproject django/1.5.5
version/djangoproject django/1.5.6
version/djangoproject django/1.5.7
version/djangoproject django/1.5.8
version/djangoproject django/1.5.9
version/djangoproject django/1.5.10
version/djangoproject django/1.5.11
version/djangoproject django/1.5.12
version/djangoproject django/1.6
version/djangoproject django/1.6-beta1
version/djangoproject django/1.6-beta2
version/djangoproject django/1.6-beta3
version/djangoproject django/1.6-beta4
version/djangoproject django/1.6.1
version/djangoproject django/1.6.2
version/djangoproject django/1.6.3
version/djangoproject django/1.6.4
version/djangoproject django/1.6.5
version/djangoproject django/1.6.6
version/djangoproject django/1.6.7
version/djangoproject django/1.6.8
version/djangoproject django/1.6.9
version/djangoproject django/1.6.10
version/djangoproject django/1.7-beta1
version/djangoproject django/1.7-beta2
version/djangoproject django/1.7-beta3
version/djangoproject django/1.7-beta4
version/djangoproject django/1.7-rc1
version/djangoproject django/1.7-rc2
version/djangoproject django/1.7-rc3
version/djangoproject django/1.7.1
version/djangoproject django/1.7.2
version/djangoproject django/1.7.3
version/djangoproject django/1.7.4
version/djangoproject django/1.7.5
version/djangoproject django/1.7.6
version/djangoproject django/1.8.0
vendor/oracle
canonical/oracle solaris sparc
version/oracle solaris sparc/11.2
vendor/canonical
canonical/ubuntu linux
version/ubuntu linux/10.04
version/ubuntu linux/12.04
version/ubuntu linux/14.04
version/ubuntu linux/14.10

CVE-2015-2317: XSS

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2015-2317?

How do I fix CVE-2015-2317?

Which versions of Django are affected by CVE-2015-2317?

What is the impact of CVE-2015-2317?

Is there a workaround for CVE-2015-2317?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2015-2317?

How do I fix CVE-2015-2317?

Which versions of Django are affected by CVE-2015-2317?

What is the impact of CVE-2015-2317?

Is there a workaround for CVE-2015-2317?