What is the severity of CVE-2017-7233?

CVE-2017-7233 is classified as a medium severity vulnerability.

How do I fix CVE-2017-7233?

To fix CVE-2017-7233, upgrade Django to version 1.10.7, 1.9.13, or 1.8.18 or later.

What versions of Django are affected by CVE-2017-7233?

CVE-2017-7233 affects Django versions 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18.

What type of vulnerability is CVE-2017-7233?

CVE-2017-7233 is a security vulnerability related to improper URL validation.

Is user input involved in the exploitation of CVE-2017-7233?

Yes, CVE-2017-7233 relies on user input in some cases, leading to potential security risks.

Vulnerability/
CVE-2017-7233

medium

6.1

CWE

601 79

29/3/2017

4/4/2017

4/1/2019

18/9/2024

CVE-2017-7233: XSS

First published: Wed Mar 29 2017(Updated: )

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Djangoproject Django	=1.8.0
Djangoproject Django	=1.8.0-a1
Djangoproject Django	=1.8.0-b1
Djangoproject Django	=1.8.0-b2
Djangoproject Django	=1.8.0-c1
Djangoproject Django	=1.8.1
Djangoproject Django	=1.8.2
Djangoproject Django	=1.8.3
Djangoproject Django	=1.8.4
Djangoproject Django	=1.8.5
Djangoproject Django	=1.8.6
Djangoproject Django	=1.8.7
Djangoproject Django	=1.8.8
Djangoproject Django	=1.8.9
Djangoproject Django	=1.8.10
Djangoproject Django	=1.8.11
Djangoproject Django	=1.8.12
Djangoproject Django	=1.8.13
Djangoproject Django	=1.8.14
Djangoproject Django	=1.8.15
Djangoproject Django	=1.8.16
Djangoproject Django	=1.8.17
Djangoproject Django	=1.9
Djangoproject Django	=1.9-a1
Djangoproject Django	=1.9-b1
Djangoproject Django	=1.9-rc1
Djangoproject Django	=1.9-rc2
Djangoproject Django	=1.9.1
Djangoproject Django	=1.9.2
Djangoproject Django	=1.9.3
Djangoproject Django	=1.9.4
Djangoproject Django	=1.9.5
Djangoproject Django	=1.9.6
Djangoproject Django	=1.9.7
Djangoproject Django	=1.9.8
Djangoproject Django	=1.9.9
Djangoproject Django	=1.9.10
Djangoproject Django	=1.9.11
Djangoproject Django	=1.9.12
Djangoproject Django	=1.10.0
Djangoproject Django	=1.10.0-a1
Djangoproject Django	=1.10.0-b1
Djangoproject Django	=1.10.0-rc1
Djangoproject Django	=1.10.1
Djangoproject Django	=1.10.2
Djangoproject Django	=1.10.3
Djangoproject Django	=1.10.4
Djangoproject Django	=1.10.5
Djangoproject Django	=1.10.6
redhat/python-django	<1.8.18	1.8.18
redhat/python-django	<1.9.13	1.9.13
redhat/python-django	<1.10.7	1.10.7
redhat/python-django	<1.11	1.11
pip/Django	>=1.8a1<1.8.18	1.8.18
pip/Django	>=1.9a1<1.9.13	1.9.13
pip/Django	>=1.10a1<1.10.7	1.10.7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-7233?
CVE-2017-7233 is classified as a medium severity vulnerability.
How do I fix CVE-2017-7233?
To fix CVE-2017-7233, upgrade Django to version 1.10.7, 1.9.13, or 1.8.18 or later.
What versions of Django are affected by CVE-2017-7233?
CVE-2017-7233 affects Django versions 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18.
What type of vulnerability is CVE-2017-7233?
CVE-2017-7233 is a security vulnerability related to improper URL validation.
Is user input involved in the exploitation of CVE-2017-7233?
Yes, CVE-2017-7233 relies on user input in some cases, leading to potential security risks.

collector/nvd-index
agent/author
agent/type
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2017-7233
agent/software-canonical-lookup
agent/weakness
agent/severity
agent/description
collector/nvd-cve
source/NVD
collector/mitre-cve
source/MITRE
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-37hp-765x-j95x
agent/references
agent/last-modified-date
collector/github-advisory
agent/softwarecombine
agent/trending
agent/tags
agent/source
vendor/djangoproject
canonical/djangoproject django
version/djangoproject django/1.8.0
version/djangoproject django/1.8.0-a1
version/djangoproject django/1.8.0-b1
version/djangoproject django/1.8.0-b2
version/djangoproject django/1.8.0-c1
version/djangoproject django/1.8.1
version/djangoproject django/1.8.2
version/djangoproject django/1.8.3
version/djangoproject django/1.8.4
version/djangoproject django/1.8.5
version/djangoproject django/1.8.6
version/djangoproject django/1.8.7
version/djangoproject django/1.8.8
version/djangoproject django/1.8.9
version/djangoproject django/1.8.10
version/djangoproject django/1.8.11
version/djangoproject django/1.8.12
version/djangoproject django/1.8.13
version/djangoproject django/1.8.14
version/djangoproject django/1.8.15
version/djangoproject django/1.8.16
version/djangoproject django/1.8.17
version/djangoproject django/1.9
version/djangoproject django/1.9-a1
version/djangoproject django/1.9-b1
version/djangoproject django/1.9-rc1
version/djangoproject django/1.9-rc2
version/djangoproject django/1.9.1
version/djangoproject django/1.9.2
version/djangoproject django/1.9.3
version/djangoproject django/1.9.4
version/djangoproject django/1.9.5
version/djangoproject django/1.9.6
version/djangoproject django/1.9.7
version/djangoproject django/1.9.8
version/djangoproject django/1.9.9
version/djangoproject django/1.9.10
version/djangoproject django/1.9.11
version/djangoproject django/1.9.12
version/djangoproject django/1.10.0
version/djangoproject django/1.10.0-a1
version/djangoproject django/1.10.0-b1
version/djangoproject django/1.10.0-rc1
version/djangoproject django/1.10.1
version/djangoproject django/1.10.2
version/djangoproject django/1.10.3
version/djangoproject django/1.10.4
version/djangoproject django/1.10.5
version/djangoproject django/1.10.6
package-manager/redhat
package-manager/pip