CVE-2013-6044
published 2013-10-04CVE-2013-6044: The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
2.30%
81.1th percentile
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.5.2-1 (bookworm) | python-django 1.5.2-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.4 < 1.4.6 | 1.4.6 |
| djangoproject | django | >= 1.5 < 1.5.2 | 1.5.2 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django cross-site scripting (XSS) vulnerability via is_safe_url function
ghsa·2022-05-17
CVE-2013-6044 [MEDIUM] CWE-79 Django cross-site scripting (XSS) vulnerability via is_safe_url function
Django cross-site scripting (XSS) vulnerability via is_safe_url function
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
OSV
Django cross-site scripting (XSS) vulnerability via is_safe_url function
osv·2022-05-17
CVE-2013-6044 [MEDIUM] Django cross-site scripting (XSS) vulnerability via is_safe_url function
Django cross-site scripting (XSS) vulnerability via is_safe_url function
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
OSV
CVE-2013-6044: The is_safe_url function in utils/http
osv·2013-10-04·CVSS 4.3
CVE-2013-6044 [MEDIUM] CVE-2013-6044: The is_safe_url function in utils/http
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Red Hat
python-django: xss in is_safe_url function
vendor_redhat·2013-08-14·CVSS 4.3
CVE-2013-6044 [MEDIUM] CWE-79 python-django: xss in is_safe_url function
python-django: xss in is_safe_url function
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Package: Django (Red Hat Subscription Asset Manager) - Will not fix
Debian
CVE-2013-6044: python-django - The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x be...
vendor_debian·2013·CVSS 4.3
CVE-2013-6044 [MEDIUM] CVE-2013-6044: python-django - The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x be...
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Scope: local
bookworm: resolved (fixed in 1.5.2-1)
bullseye: resolved (fixed in 1.5.2-1)
forky: resolved (fixed in 1.5.2-1)
sid: resolved (fixed in 1.5.2-1)
trixie: resolved (fixed in 1.5.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-6044 Django14: python-django: xss in is_safe_url function [epel-6]
bugzilla·2013-10-08·CVSS 4.3
CVE-2013-6044 [MEDIUM] CVE-2013-6044 Django14: python-django: xss in is_safe_url function [epel-6]
CVE-2013-6044 Django14: python-django: xss in is_safe_url function [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for
Bugzilla
CVE-2013-6044 python-django: xss in is_safe_url function [fedora-all]
bugzilla·2013-10-08·CVSS 4.3
CVE-2013-6044 [MEDIUM] CVE-2013-6044 python-django: xss in is_safe_url function [fedora-all]
CVE-2013-6044 python-django: xss in is_safe_url function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects mul
Bugzilla
CVE-2013-6044 python-django: xss in is_safe_url function
bugzilla·2013-10-08·CVSS 4.3
CVE-2013-6044 [MEDIUM] CVE-2013-6044 python-django: xss in is_safe_url function
CVE-2013-6044 python-django: xss in is_safe_url function
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6044 to the following vulnerability:
Name: CVE-2013-6044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6044
Assigned: 20131004
Reference: http://seclists.org/oss-sec/2013/q3/369
Reference: http://seclists.org/oss-sec/2013/q3/411
Reference: https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
Reference: https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
Reference: https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a
Reference: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
Reference: http://www.securityfocus.com/bid/61777
Reference: SECTRA
http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1521.htmlhttp://seclists.org/oss-sec/2013/q3/369http://seclists.org/oss-sec/2013/q3/411http://secunia.com/advisories/54476http://www.debian.org/security/2013/dsa-2740http://www.securityfocus.com/bid/61777http://www.securitytracker.com/id/1028915https://exchange.xforce.ibmcloud.com/vulnerabilities/86437https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5fhttps://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6ahttps://www.djangoproject.com/weblog/2013/aug/13/security-releases-issuedhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00015.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1521.htmlhttp://seclists.org/oss-sec/2013/q3/369http://seclists.org/oss-sec/2013/q3/411http://secunia.com/advisories/54476http://www.debian.org/security/2013/dsa-2740http://www.securityfocus.com/bid/61777http://www.securitytracker.com/id/1028915https://exchange.xforce.ibmcloud.com/vulnerabilities/86437https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5fhttps://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6ahttps://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
2013-10-04
Published