Moderate severityNVD Advisory· Published Mar 25, 2015· Updated Jun 17, 2026
CVE-2015-2317
CVE-2015-2317
Description
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | < 1.4.20 | 1.4.20 |
DjangoPyPI | >= 1.5, < 1.6.11 | 1.6.11 |
DjangoPyPI | >= 1.7, < 1.7.7 | 1.7.7 |
DjangoPyPI | >= 1.8a1, < 1.8c1 | 1.8c1 |
Affected products
55cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 44 more
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.4.19
- cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta4:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*
- ghsa-coords2 versions
< 1.4.20+ 1 more
- (no CPE)range: < 1.4.20
- (no CPE)range: < 1.6.11-4.1
Patches
Vulnerability mechanics
References
19- lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlnvdThird Party AdvisoryWEB
- ubuntu.com/usn/usn-2539-1nvdThird Party AdvisoryWEB
- www.debian.org/security/2015/dsa-3204nvdThird Party AdvisoryWEB
- www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-7fq8-4pv5-5w5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-2317ghsaADVISORY
- www.djangoproject.com/weblog/2015/mar/18/security-releases/nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlnvdWEB
- www.mandriva.com/security/advisoriesnvdBroken LinkWEB
- github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1bghsaWEB
- github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1ghsaWEB
- github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9ghsaWEB
- github.com/django/django/commit/770427c2896a078925abfca2317486b284d22f04ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-9.yamlghsaWEB
- web.archive.org/web/20200228131706/http://www.securityfocus.com/bid/73319ghsaWEB
- www.djangoproject.com/weblog/2015/mar/18/security-releasesghsaWEB
- www.securityfocus.com/bid/73319nvd
News mentions
0No linked articles in our index yet.