—

PYSEC-2011-11

Details

Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 1.1 Fixed in: 1.1.4

Fix pip install --upgrade 'django>=1.1.4'

References

https://bugzilla.redhat.com/show_bug.cgi?id=676359 [REPORT]
http://openwall.com/lists/oss-security/2011/02/09/6 [WEB]
http://www.djangoproject.com/weblog/2011/feb/08/security/ [ARTICLE]
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html [WEB]
http://www.mandriva.com/security/advisories?name=MDVSA-2011:031 [ADVISORY]
http://www.ubuntu.com/usn/USN-1066-1 [ADVISORY]
http://secunia.com/advisories/43230 [ADVISORY]
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html [WEB]
http://secunia.com/advisories/43297 [ADVISORY]
http://www.debian.org/security/2011/dsa-2163 [ADVISORY]
http://www.vupen.com/english/advisories/2011/0439 [ADVISORY]
http://www.vupen.com/english/advisories/2011/0388 [ADVISORY]
http://www.vupen.com/english/advisories/2011/0372 [ADVISORY]
http://www.vupen.com/english/advisories/2011/0429 [ADVISORY]
http://www.securityfocus.com/bid/46296 [WEB]
http://secunia.com/advisories/43382 [ADVISORY]
http://secunia.com/advisories/43426 [ADVISORY]
http://www.vupen.com/english/advisories/2011/0441 [ADVISORY]
https://github.com/advisories/GHSA-8m3r-rv5g-fcpq [ADVISORY]