PYSEC-2017-10 — Vulnetix

PYSEC-2017-10 PUBLISHED

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.

Affected Products

Vendor	Product	Versions
PyPI	django	1.10, 1.9, 1.8

Timeline

Apr 4, 2017 CVE Published
Nov 8, 2023 CVE Updated
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory

References

https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ article
http://www.securityfocus.com/bid/97401 url
http://www.securitytracker.com/id/1038177 url
http://www.debian.org/security/2017/dsa-3835 advisory
https://github.com/advisories/GHSA-h4hv-m4h4-mhwg advisory

Open in Interactive Console →