CVE-2014-0480

Description

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

How to fix CVE-2014-0480

To remediate CVE-2014-0480, upgrade the affected package to a fixed version below.

• —upgrade to 1.6.6-1 or later
• —upgrade to 1.2.3-3+squeeze11 or later
• —upgrade to 1.4.5-1+deb7u8 or later
• —upgrade to 1.4.14 or later
• —upgrade to 1.4.14 or later

Is CVE-2014-0480 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 1.6.6-1
• from 0, < 1.2.3-3+squeeze11
• from 0, < 1.4.5-1+deb7u8
• from 0, < 1.4.14
• from 0, < 1.4.14, >= 1.5, < 1.5.9, >= 1.6, < 1.6.6

CVSS scores

References (17)

• ADVISORYsecunia.com/advisories/59782
• ADVISORYsecunia.com/advisories/61276
• ADVISORYsecunia.com/advisories/61281
• ADVISORYgithub.com/advisories/GHSA-f7cm-ccfp-3q4r
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0480