6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20182

GHSA ID

GHSA-p4g9-c9qr-wmg5

EPSS Score

0.18277%

CWE

CWE-79

Published

3/10/2023

Updated

10/20/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20182

CVE-2017-20182: Cross-site Scripting in django-ajax-utilities

A vulnerability was found in Mobile Vikings Django AJAX Utilities and classified as problematic. This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The patch is on commit 329eb1dd1580ca1f9d4f95bc69939833226515c9 which has been inclused in release 1.2.8. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222611.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20182

GHSA ID

GHSA-p4g9-c9qr-wmg5

EPSS Score

0.18277%

CWE

CWE-79

Published

3/10/2023

Updated

10/20/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django-ajax-utilities	pip	< 1.2.8	1.2.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the ajax function's URL handling in pagination.js. The original code only checked if the URL started with '/' and didn't have two slashes. Attackers could bypass this by using backslashes (e.g., '#page:/\google.com'), which modern browsers normalize to valid URLs. The patch explicitly adds a check for '/\' to block this vector. The function's direct manipulation of untrusted URL input without proper sanitization matches the XSS vulnerability pattern described in CWE-79.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Mo*il* Vikin*s *j*n*o *J*X Utiliti*s *n* *l*ssi*i** *s pro*l*m*ti*. T*is issu* *****ts t** *un*tion P**in*tion o* t** *il* *j*n*o_*j*x/st*ti*/*j*x-utiliti*s/js/p**in*tion.js o* t** *ompon*nt ***ksl*s* **n*l*r. T** m*nipul

Reasoning

T** vuln*r**ility st*ms *rom t** *j*x *un*tion's URL **n*lin* in `p**in*tion.js`. T** ori*in*l *o** only ****k** i* t** URL st*rt** wit* '/' *n* *i*n't **v* two sl*s**s. *tt**k*rs *oul* *yp*ss t*is *y usin* ***ksl*s**s (*.*., '#p***:/\*oo*l*.*om'), w

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-20182: Cross-site Scripting in django-ajax-utilities

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI