Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.

References

• https://nvd.nist.gov/vuln/detail/CVE-2011-0697
• https://bugzilla.redhat.com/show_bug.cgi?id=676359
• GHSA-8m3r-rv5g-fcpq
• http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html
• http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html
• http://openwall.com/lists/oss-security/2011/02/09/6
• http://www.debian.org/security/2011/dsa-2163
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:031
• http://www.ubuntu.com/usn/USN-1066-1
• django/django@1966786
• django/django@1f814a9
• django/django@90be6ca
• django/django@a9cf3d2
• http://www.djangoproject.com/weblog/2011/feb/08/security
• https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-11.yaml
• https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230
• https://web.archive.org/web/20110521033304/http://secunia.com/advisories/43297
• https://web.archive.org/web/20110521033309/http://secunia.com/advisories/43382
• https://web.archive.org/web/20110521033314/http://secunia.com/advisories/43426
• https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296