CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
81.2%
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6,
1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL’s scheme as safe
even if it is not HTTP or HTTPS, which might introduce cross-site scripting
(XSS) or other vulnerabilities into Django applications that use this
function, as demonstrated by “the login view in django.contrib.auth.views”
and the javascript: scheme.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | python-django | < 1.1.1-2ubuntu1.9 | UNKNOWN |
ubuntu | 12.04 | noarch | python-django | < 1.3.1-4ubuntu1.8 | UNKNOWN |
ubuntu | 12.10 | noarch | python-django | < 1.4.1-2ubuntu0.4 | UNKNOWN |
ubuntu | 13.04 | noarch | python-django | < 1.4.5-1ubuntu0.1 | UNKNOWN |
seclists.org/oss-sec/2013/q3/369
seclists.org/oss-sec/2013/q3/411
secunia.com/advisories/54476
www.securitytracker.com/id/1028915
xforce.iss.net/xforce/xfdb/86437
github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a
launchpad.net/bugs/cve/CVE-2013-6044
nvd.nist.gov/vuln/detail/CVE-2013-6044
security-tracker.debian.org/tracker/CVE-2013-6044
ubuntu.com/security/notices/USN-1967-1
www.cve.org/CVERecord?id=CVE-2013-6044
www.djangoproject.com/weblog/2013/aug/13/security-releases-issued