CVE-2013-4249
published 2013-10-04CVE-2013-4249: Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
2.88%
85.1th percentile
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.5.2-1 (bookworm) | python-django 1.5.2-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.5 < 1.5.2 | 1.5.2 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
ghsa·2022-05-17
CVE-2013-4249 [MEDIUM] CWE-79 Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
OSV
Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
osv·2022-05-17
CVE-2013-4249 [MEDIUM] Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
OSV
CVE-2013-4249: Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets
osv·2013-10-04·CVSS 4.3
CVE-2013-4249 [MEDIUM] CVE-2013-4249: Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
Debian
CVE-2013-4249: python-django - Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in co...
vendor_debian·2013·CVSS 4.3
CVE-2013-4249 [MEDIUM] CVE-2013-4249: python-django - Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in co...
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
Scope: local
bookworm: resolved (fixed in 1.5.2-1)
bullseye: resolved (fixed in 1.5.2-1)
forky: resolved (fixed in 1.5.2-1)
sid: resolved (fixed in 1.5.2-1)
trixie: resolved (fixed in 1.5.2-1)
No detection rules found.
No public exploits indexed.
arXiv
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
arxiv_fulltext·2020-05-14
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
## Abstract
Cross-site scripting (XSS) flaws are a class of security flaws that permit the injection of malicious code into a web application.
In simple situations, these flaws can be caused by missing input sanitizations. Sometimes, however, all application inputs
are sanitized, but the sanitizations are not appropriate for the browser contexts of the sanitized values. Using an incorrect
sanitizer can make the application look protected, when it is in fact vulnerable as if no sanitization was used, creating a context-sensitive XSS flaw.
To discover context-sensitive XSS flaws, we introduce DjangoChecker.
DjangoChecker combines extended dynamic taint tracking with a model browser for context analysis.
We demonstrate the practical application of DjangoChecker on eight mature web applicati
Bugzilla
CVE-2013-4249 python-django: XSS in admin interface
bugzilla·2013-08-14·CVSS 4.3
CVE-2013-4249 [MEDIUM] CVE-2013-4249 python-django: XSS in admin interface
CVE-2013-4249 python-django: XSS in admin interface
Django 1.5.2 was released to correct the following security flaw:
The Django administrative application, django.contrib.admin, provides functionality for CRUD (Creation, Retrieval, Updating and Deleting) operations by trusted users, including facilities for both automatic and customized data-manipulation interfaces.
When displaying the value of a URLField -- a model field type for storing URLs -- this interface treated the values of such fields as safe, thus failing to properly accommodate the potential for dangerous values. A proof-of-concept application has been provided to the Django project, showing how this can be exploited to perform XSS in the administrative interface.
In a normal Django deployment, this will only affect the ad
http://seclists.org/oss-sec/2013/q3/369http://seclists.org/oss-sec/2013/q3/411http://secunia.com/advisories/54476http://www.securitytracker.com/id/1028915https://exchange.xforce.ibmcloud.com/vulnerabilities/86438https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issuedhttp://seclists.org/oss-sec/2013/q3/369http://seclists.org/oss-sec/2013/q3/411http://secunia.com/advisories/54476http://www.securitytracker.com/id/1028915https://exchange.xforce.ibmcloud.com/vulnerabilities/86438https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
2013-10-04
Published