CVE-2013-6044

NameCVE-2013-6044
DescriptionThe is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2740-1
NVD severitymedium (attack range: remote, user-initiated)
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)squeeze, squeeze (security)1.2.3-3+squeeze10fixed
squeeze (lts)1.2.3-3+squeeze13fixed
wheezy1.4.5-1+deb7u8fixed
wheezy (security)1.4.5-1+deb7u12fixed
jessie1.7.7-1fixed
jessie (security)1.7.7-1+deb8u1fixed
stretch, sid1.7.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1.5.2-1medium
python-djangosourcesqueeze1.2.3-3+squeeze6mediumDSA-2740-1
python-djangosourcewheezy1.4.5-1+deb7u1mediumDSA-2740-1

Search for package or bug name: Reporting problems