Medium severity6.1NVD Advisory· Published Apr 4, 2017· Updated May 13, 2026
CVE-2017-7233
CVE-2017-7233
Description
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely `django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url()` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.10a1, < 1.10.7 | 1.10.7 |
DjangoPyPI | >= 1.9a1, < 1.9.13 | 1.9.13 |
DjangoPyPI | >= 1.8a1, < 1.8.18 | 1.8.18 |
Affected products
49cpe:2.3:a:djangoproject:django:1.9.10:*:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:djangoproject:django:1.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:a1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:b1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:a1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:b1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:b2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:c1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.13:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.15:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.16:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.17:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:a1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:b1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*
Patches
3254326cb3682https://github.com/django/djangovia ghsa
8339277518c7https://github.com/django/djangovia ghsa
f824655bc2c5https://github.com/django/djangovia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- www.securityfocus.com/bid/97406nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-37hp-765x-j95xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7233ghsaADVISORY
- www.djangoproject.com/weblog/2017/apr/04/security-releases/nvdVendor Advisory
- www.debian.org/security/2017/dsa-3835nvdWEB
- access.redhat.com/errata/RHSA-2017:1445nvdWEB
- access.redhat.com/errata/RHSA-2017:1451nvdWEB
- access.redhat.com/errata/RHSA-2017:1462nvdWEB
- access.redhat.com/errata/RHSA-2017:1470nvdWEB
- access.redhat.com/errata/RHSA-2017:1596nvdWEB
- access.redhat.com/errata/RHSA-2017:3093nvdWEB
- access.redhat.com/errata/RHSA-2018:2927nvdWEB
- github.com/django/django/commit/254326cb3682389f55f886804d2c43f7b9f23e4fghsaWEB
- github.com/django/django/commit/8339277518c7d8ec280070a780915304654e3b66ghsaWEB
- github.com/django/django/commit/f824655bc2c50b19d2f202d7640785caabc82787ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2017-9.yamlghsaWEB
- www.djangoproject.com/weblog/2017/apr/04/security-releasesghsaWEB
- www.securitytracker.com/id/1038177nvd
News mentions
0No linked articles in our index yet.