CVE-2013-6044

2013-10-0417:55:10

Debian Security Bug Tracker

security-tracker.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.008

Percentile

81.2%

JSON

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL’s scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by “the login view in django.contrib.auth.views” and the javascript: scheme.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-django< 1.5.2-1python-django_1.5.2-1_all.deb
Debian11allpython-django< 1.5.2-1python-django_1.5.2-1_all.deb
Debian999allpython-django< 1.5.2-1python-django_1.5.2-1_all.deb
Debian13allpython-django< 1.5.2-1python-django_1.5.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-django	< 1.5.2-1	python-django_1.5.2-1_all.deb
Debian	11	all	python-django	< 1.5.2-1	python-django_1.5.2-1_all.deb
Debian	999	all	python-django	< 1.5.2-1	python-django_1.5.2-1_all.deb
Debian	13	all	python-django	< 1.5.2-1	python-django_1.5.2-1_all.deb