[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248678

 
 

909

 
 

195426

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2013-6044Date: (C)2013-10-09   (M)2023-12-22


The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
SECTRACK-1028915
SECUNIA-54476
BID-61777
DSA-2740
RHSA-2013:1521
http://seclists.org/oss-sec/2013/q3/369
http://seclists.org/oss-sec/2013/q3/411
django-issafeurl-xss(86437)
https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
openSUSE-SU-2013:1541

CPE    8
cpe:/a:djangoproject:django:1.4.5
cpe:/a:djangoproject:django:1.6:beta1
cpe:/a:djangoproject:django:1.4.4
cpe:/a:djangoproject:django:1.4
...
CWE    1
CWE-79

© SecPod Technologies