CVE - CVE-2013-6044

CVE-ID
CVE-2013-6044	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20130814 [CVE request] Django 1.4.6 security release URL:http://seclists.org/oss-sec/2013/q3/369 MLIST:[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release URL:http://seclists.org/oss-sec/2013/q3/411 CONFIRM:https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f CONFIRM:https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762 CONFIRM:https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a CONFIRM:https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued DEBIAN:DSA-2740 URL:http://www.debian.org/security/2013/dsa-2740 REDHAT:RHSA-2013:1521 URL:http://rhn.redhat.com/errata/RHSA-2013-1521.html SUSE:openSUSE-SU-2013:1541 URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html BID:61777 URL:http://www.securityfocus.com/bid/61777 SECTRACK:1028915 URL:http://www.securitytracker.com/id/1028915 SECUNIA:54476 URL:http://secunia.com/advisories/54476 XF:django-issafeurl-xss(86437) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/86437
Assigning CNA
N/A
Date Entry Created
20131004	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20131004)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org