CVE-2013-6044Cross-site Scripting in Django

CWE-79Cross-site Scripting10 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
4.1%
top 11.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedOct 4
Latest updateMay 17

Description

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

PyPIdjangoproject/django1.41.4.6+1
NVDdjangoproject/django8 versions+7

Patches

Patch: www.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

4
GHSA
Django cross-site scripting (XSS) vulnerability via is_safe_url function2022-05-17
OSV
Django cross-site scripting (XSS) vulnerability via is_safe_url function2022-05-17
OSV
CVE-2013-6044: The is_safe_url function in utils/http2013-10-04
CVEList
CVE-2013-6044: The is_safe_url function in utils/http2013-10-04

📋Vendor Advisories

2
Red Hat
python-django: xss in is_safe_url function2013-08-14
Debian
CVE-2013-6044: python-django - The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x be...2013

💬Community

3
Bugzilla
CVE-2013-6044 Django14: python-django: xss in is_safe_url function [epel-6]2013-10-08
Bugzilla
CVE-2013-6044 python-django: xss in is_safe_url function [fedora-all]2013-10-08
Bugzilla
CVE-2013-6044 python-django: xss in is_safe_url function2013-10-08
CVE-2013-6044 — Cross-site Scripting in Django | cvebase