CVE-2013-6044

Published: Oct 4, 2013Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

Affected (8)

Products: Djangoproject: Django

1 product

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Djangoproject Django	Version 1.4.1
Djangoproject Django	Version 1.4.2
Djangoproject Django	Version 1.4.4
Djangoproject Django	Version 1.4.5
Djangoproject Django	Version 1.4
Djangoproject Django	Version 1.5.1
Djangoproject Django	Version 1.5
Djangoproject Django	Version 1.6 beta1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (26)

http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2013-1521.html

Source: cve@mitre.org

http://seclists.org/oss-sec/2013/q3/369

Source: cve@mitre.org

http://seclists.org/oss-sec/2013/q3/411

Source: cve@mitre.org

http://secunia.com/advisories/54476

Source: cve@mitre.org

Vendor Advisory

http://www.debian.org/security/2013/dsa-2740

Source: cve@mitre.org

http://www.securityfocus.com/bid/61777

Source: cve@mitre.org

http://www.securitytracker.com/id/1028915

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/86437

Source: cve@mitre.org

https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f

Source: cve@mitre.org

https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762

Source: cve@mitre.org

https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a

Source: cve@mitre.org

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued

Source: cve@mitre.org

PatchVendor Advisory

http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-1521.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2013/q3/369

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2013/q3/411

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/54476

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.debian.org/security/2013/dsa-2740

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/61777

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id/1028915

Source: af854a3a-2127-422b-91ae-364da2661108

https://exchange.xforce.ibmcloud.com/vulnerabilities/86437

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.