Vulnerability Name: | CVE-2013-6044 (CCN-87861) | ||||||||||||||||
Assigned: | 2013-08-14 | ||||||||||||||||
Published: | 2013-08-14 | ||||||||||||||||
Updated: | 2017-11-17 | ||||||||||||||||
Summary: | The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. | ||||||||||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||||||||||
CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) 3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||||||
Vulnerability Type: | CWE-79 | ||||||||||||||||
Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2013-6044 Source: SUSE Type: UNKNOWN openSUSE-SU-2013:1541 Source: REDHAT Type: UNKNOWN RHSA-2013:1521 Source: CCN Type: oss-sec mailing list, Wed, 14 Aug 2013 07:31:00 +0200 [CVE request] Django 1.4.6 security release Source: MLIST Type: UNKNOWN [oss-security] 20130814 [CVE request] Django 1.4.6 security release Source: MLIST Type: UNKNOWN [oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release Source: CCN Type: SA54476 Django "is_safe_url()" Cross-Site Scripting and "URLField" Script Insertion Vulnerabilities Source: SECUNIA Type: Vendor Advisory 54476 Source: DEBIAN Type: UNKNOWN DSA-2740 Source: BID Type: UNKNOWN 61777 Source: CCN Type: BID-61777 Django 'is_safe_url()' Function Cross Site Scripting Vulnerability Source: SECTRACK Type: UNKNOWN 1028915 Source: XF Type: UNKNOWN django-issafeurl-xss(86437) Source: XF Type: UNKNOWN django-cve20136044-xss(87861) Source: CONFIRM Type: UNKNOWN https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f Source: CONFIRM Type: UNKNOWN https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762 Source: CONFIRM Type: UNKNOWN https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a Source: CCN Type: Django Web Site Django Source: CONFIRM Type: Patch, Vendor Advisory https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued Source: CCN Type: Django Weblog Security releases issued | ||||||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||||||
Oval Definitions | |||||||||||||||||
| |||||||||||||||||
BACK |