Medium severity6.1NVD Advisory· Published Apr 4, 2017· Updated Jun 17, 2026
CVE-2017-7233
CVE-2017-7233
Description
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely `django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url()` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.10a1, < 1.10.7 | 1.10.7 |
DjangoPyPI | >= 1.9a1, < 1.9.13 | 1.9.13 |
DjangoPyPI | >= 1.8a1, < 1.8.18 | 1.8.18 |
Affected products
57cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:a1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:b1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:a1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:b1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:b2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:c1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.13:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.15:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.16:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.17:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:a1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:b1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9:rc2:*:*:*:*:*:*
- ghsa-coords8 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1
>= 1.10a1, < 1.10.7+ 7 more
- (no CPE)range: >= 1.10a1, < 1.10.7
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.8.19-3.6.1
- (no CPE)range: < 1.8.19-3.4.1
- (no CPE)range: < 1.11.10-5.1
- (no CPE)range: < 1.11.15-2.1
Patches
Vulnerability mechanics
References
18- www.securityfocus.com/bid/97406nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-37hp-765x-j95xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7233ghsaADVISORY
- www.djangoproject.com/weblog/2017/apr/04/security-releases/nvdVendor Advisory
- www.debian.org/security/2017/dsa-3835nvdWEB
- access.redhat.com/errata/RHSA-2017:1445nvdWEB
- access.redhat.com/errata/RHSA-2017:1451nvdWEB
- access.redhat.com/errata/RHSA-2017:1462nvdWEB
- access.redhat.com/errata/RHSA-2017:1470nvdWEB
- access.redhat.com/errata/RHSA-2017:1596nvdWEB
- access.redhat.com/errata/RHSA-2017:3093nvdWEB
- access.redhat.com/errata/RHSA-2018:2927nvdWEB
- github.com/django/django/commit/254326cb3682389f55f886804d2c43f7b9f23e4fghsaWEB
- github.com/django/django/commit/8339277518c7d8ec280070a780915304654e3b66ghsaWEB
- github.com/django/django/commit/f824655bc2c50b19d2f202d7640785caabc82787ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2017-9.yamlghsaWEB
- www.djangoproject.com/weblog/2017/apr/04/security-releasesghsaWEB
- www.securitytracker.com/id/1038177nvd
News mentions
0No linked articles in our index yet.