CVE-2014-3730
Django Allows Open Redirects
7.5
HIGH
CVSS 3.1
EPSS 0.99%
Description
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
How to fix CVE-2014-3730
To remediate CVE-2014-3730, upgrade the affected package to a fixed version below.
- —upgrade to 1.6.5-1 or later
- —upgrade to 1.4.13 or later
- —upgrade to 1.4.13 or later
Is CVE-2014-3730 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.6.5-1
- >= 1.4, < 1.4.13
- >= 1.4, < 1.4.13, >= 1.5, < 1.5.8, >= 1.6, < 1.6.5, >= 1.7a0, < 1.7b4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |