{"id":"PYSEC-2017-10","details":"A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.","aliases":["CVE-2017-7234","GHSA-h4hv-m4h4-mhwg"],"modified":"2023-11-08T03:59:24.075955Z","published":"2017-04-04T17:59:00Z","references":[{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"},{"type":"WEB","url":"http://www.securityfocus.com/bid/97401"},{"type":"WEB","url":"http://www.securitytracker.com/id/1038177"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3835"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-h4hv-m4h4-mhwg"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.10"},{"fixed":"1.10.7"},{"introduced":"1.9"},{"fixed":"1.9.13"},{"introduced":"1.8"},{"fixed":"1.8.18"}]}],"versions":["1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.16","1.8.17","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.9","1.9.1","1.9.10","1.9.11","1.9.12","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2017-10.yaml"}}],"schema_version":"1.7.3"}