SB2018111940 - Fedora EPEL 7 update for python-django, python-django16

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018111940

SB2018111940 - Fedora EPEL 7 update for python-django, python-django16

Published: November 19, 2018 Updated: April 24, 2025

Security Bulletin ID SB2018111940
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cross-site scripting in Django (CVE-ID: CVE-2016-6186)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to improper filtering HTML code from user-supplied input. A remote user can cause arbitrary scripting code execution by the target administrative user's browser. The code will originate from the site running the Django software. As a result, the code will be able to access the target user's cookies, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Cross-site scripting (CVE-ID: CVE-2017-7233)

The disclosed vulnerability allows a remote attacker to redirect website visitors to external websites and perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link, redirect the victim on potentially dangerous website and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Improper input validation (CVE-ID: CVE-2018-7536)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the django.utils.html.urlize() function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted input and cause the service to crash.

4) Resource exhaustion (CVE-ID: CVE-2018-7537)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the django.utils.html.urlize() function due to it was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. A remote attacker can cause the service to crash.

5) Open redirect (CVE-ID: CVE-2018-14574)

The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.

The weakness exists on systems with django.middleware.common.CommonMiddleware and the APPEND_SLASH setting enabled and with a project that has a URL pattern that accepts any path ending in a slash due to open redirect. A remote attacker can use a specially crafted image link, trick the victim into opening it and redirect users to malicious website

Remediation

Install update from vendor's website.

References