Django Incorrectly Validates URLs
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Sep 18, 2024
Description
Published by the National Vulnerability Database
Aug 26, 2014
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Aug 16, 2023
Last updated
Sep 18, 2024
The
core.urlresolvers.reverse
function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a//
(slash slash) in a URL, which triggers a scheme-relative URL to be generated.References