{"id":"PYSEC-2012-2","details":"The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.","aliases":["CVE-2012-3442","GHSA-78vx-ggch-wghm"],"modified":"2023-11-01T05:44:28.794166Z","published":"2012-07-31T17:55:00Z","references":[{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/07/31/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/07/31/2"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-1560-1"},{"type":"ADVISORY","url":"http://www.debian.org/security/2012/dsa-2529"},{"type":"ADVISORY","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.2"},{"introduced":"1.4"},{"fixed":"1.4.1"}]}],"versions":["1.0.1","1.0.2","1.0.3","1.0.4","1.1","1.1.1","1.1.2","1.1.3","1.1.4","1.2","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.3","1.3.1","1.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2012-2.yaml"}}],"schema_version":"1.7.3"}