QwikSec

Security Database

CVE

CWE

Training

CVE-2013-6044

Published: Oct 4, 2013

Modified: Aug 6, 2024

PUBLISHED

Description

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_BID

vdb-entry

x_refsource_SECTRACK

openSUSE-SU-2013:1541

vendor-advisory

x_refsource_SUSE

https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a

x_refsource_CONFIRM

third-party-advisory

x_refsource_SECUNIA

vendor-advisory

x_refsource_REDHAT

[oss-security] 20130814 [CVE request] Django 1.4.6 security release

mailing-list

x_refsource_MLIST

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued

x_refsource_CONFIRM

django-issafeurl-xss(86437)

vdb-entry

x_refsource_XF

https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762

x_refsource_CONFIRM

https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f

x_refsource_CONFIRM

[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.