Miggo Logo
Miggo Vulnerability Database
CVE-2015-2241

CVE-2015-2241:
Django Cross-site Scripting Vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-2241
GHSA ID
GHSA-6565-fg86-6jcx
EPSS Score
0.49007%
CWE
CWE-79
Published
5/17/2022
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
djangopip< 1.7.61.7.6
djangopip>= 1.8a1, < 1.8b21.8b2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the contents function in admin/helpers.py handling non-field readonly attributes. The commit diff shows the fix added autoescape=True to linebreaksbr() calls. This confirms the original function lacked proper escaping for properties, making it the direct source of XSS vulnerability when rendering untrusted content.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** *ont*nts *un*tion in `**min/**lp*rs.py` in *j*n*o ***or* *.*.* *n* *.* ***or* *.*** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* * mo**l *ttri*ut* in `Mo**l**min.r***only_*i*l*s`,

Reasoning

T** vuln*r**ility st*mm** *rom t** *ont*nts *un*tion in **min/**lp*rs.py **n*lin* non-*i*l* r***only *ttri*ut*s. T** *ommit *i** s*ows t** *ix ***** *uto*s**p*=Tru* to lin**r**ks*r() **lls. T*is *on*irms t** ori*in*l *un*tion l**k** prop*r *s**pin* *