CVE-2013-6044

NameCVE-2013-6044
DescriptionThe is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2740-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)wheezy1.4.5-1+deb7u14fixed
wheezy (security)1.4.5-1+deb7u16fixed
jessie1.7.7-1+deb8u3fixed
jessie (security)1.7.7-1+deb8u4fixed
stretch, sid1.9.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1.5.2-1medium
python-djangosourcesqueeze1.2.3-3+squeeze6mediumDSA-2740-1
python-djangosourcewheezy1.4.5-1+deb7u1mediumDSA-2740-1

Search for package or bug name: Reporting problems