Moderate severityNVD Advisory· Published May 23, 2008· Updated Apr 23, 2026
CVE-2008-2302
CVE-2008-2302
Description
Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 0.91, < 0.91.2 | 0.91.2 |
DjangoPyPI | >= 0.95, < 0.95.3 | 0.95.3 |
DjangoPyPI | >= 0.96, < 0.96.2 | 0.96.2 |
Affected products
3cpe:2.3:a:django_project:django:0.91:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:django_project:django:0.91:*:*:*:*:*:*:*
- cpe:2.3:a:django_project:django:0.95:*:*:*:*:*:*:*
- cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*
Patches
36e657e2c404aBackport [7521] to 0.91-bugfixes per security policy; announcement and security bugfix release will be forthcoming.
1 file changed · +2 −1
django/contrib/admin/views/decorators.py+2 −1 modified@@ -2,6 +2,7 @@ from django.conf.settings import SECRET_KEY from django.models.auth import users from django.utils import httpwrappers +from django.utils.html import escape from django.utils.translation import gettext_lazy import base64, datetime, md5 import cPickle as pickle @@ -21,7 +22,7 @@ def _display_login_form(request, error_message=''): post_data = _encode_post_data({}) return render_to_response('admin/login', { 'title': _('Log in'), - 'app_path': request.path, + 'app_path': escape(request.path), 'post_data': post_data, 'error_message': error_message }, context_instance=DjangoContext(request))
50ce7fb57d79Backport [7521] to 0.95-bugfixes per security policy; announcement and security bugfix release will be forthcoming.
1 file changed · +2 −1
django/contrib/admin/views/decorators.py+2 −1 modified@@ -3,6 +3,7 @@ from django.contrib.auth.models import User from django.contrib.auth import authenticate, login from django.shortcuts import render_to_response +from django.utils.html import escape from django.utils.translation import gettext_lazy import base64, datetime, md5 import cPickle as pickle @@ -22,7 +23,7 @@ def _display_login_form(request, error_message=''): post_data = _encode_post_data({}) return render_to_response('admin/login.html', { 'title': _('Log in'), - 'app_path': request.path, + 'app_path': escape(request.path), 'post_data': post_data, 'error_message': error_message }, context_instance=template.RequestContext(request))
7791e5c050ceBackport [7521] to 0.96-bugfixes per security policy; announcement and security bugfix release will be forthcoming.
1 file changed · +2 −1
django/contrib/admin/views/decorators.py+2 −1 modified@@ -3,6 +3,7 @@ from django.contrib.auth.models import User from django.contrib.auth import authenticate, login from django.shortcuts import render_to_response +from django.utils.html import escape from django.utils.translation import gettext_lazy import base64, datetime, md5 import cPickle as pickle @@ -22,7 +23,7 @@ def _display_login_form(request, error_message=''): post_data = _encode_post_data({}) return render_to_response('admin/login.html', { 'title': _('Log in'), - 'app_path': request.path, + 'app_path': escape(request.path), 'post_data': post_data, 'error_message': error_message }, context_instance=template.RequestContext(request))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- secunia.com/advisories/30250nvdPatchVendor Advisory
- www.djangoproject.com/weblog/2008/may/14/security/nvdPatch
- www.securityfocus.com/bid/29209nvdPatch
- github.com/advisories/GHSA-54qj-48vx-cr9fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-2302ghsaADVISORY
- www.djangoproject.com/weblog/2008/may/14/securityghsaWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/42396nvdWEB
- github.com/django/django/commit/50ce7fb57d79e8940ccf6e2781f2f01df029b5c5ghsaWEB
- github.com/django/django/commit/6e657e2c404a96e744748209e896d8a69c15fdf2ghsaWEB
- github.com/django/django/commit/7791e5c050cebf86d868c5dab7092185b125fdc9ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-1.yamlghsaWEB
- web.archive.org/web/20080725022008/http://secunia.com/advisories/30291ghsaWEB
- web.archive.org/web/20081012011038/http://secunia.com/advisories/30250ghsaWEB
- web.archive.org/web/20170222015451/http://securitytracker.com/idghsaWEB
- web.archive.org/web/20200228153339/http://www.securityfocus.com/bid/29209ghsaWEB
- secunia.com/advisories/30291nvd
- securitytracker.com/idnvd
- www.vupen.com/english/advisories/2008/1618nvd
News mentions
0No linked articles in our index yet.