CVE-2013-6044

python-django: xss in is_safe_url function

Severity Score

4.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

La función is_safe_url en utils/http.py de Django 1.4.x anterior a la versión 1.4.6, 1.5.x anterior a la versión 1.5.2, y 1.6 anterior a beta 2 trata un esquema de URL como seguro incluso si no es HTTP o HTTPS, lo que podría permitir XSS u otras vulnerabilidades en aplicaciones Django que usen esta función, como se ha demostrado con "la vista de inicio de sesión en django.contrib.auth.views" y el javascript: scheme.

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. It was discovered that the django.utils.http.is_safe_url() function considered any URL that used a scheme other than HTTP or HTTPS as safe. An attacker could potentially use this flaw to perform cross-site scripting attacks. A directory traversal flaw was found in Django's "ssi" template tag, which takes a file path as input and outputs that file's contents. An attacker able to alter templates that made use of the "ssi" tag on a site could use this flaw to access any local files accessible to Django.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-10-04 CVE Reserved
2013-10-04 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (15)

URL	Tag	Source
http://seclists.org/oss-sec/2013/q3/369	Mailing List
http://seclists.org/oss-sec/2013/q3/411	Mailing List
http://www.securityfocus.com/bid/61777	Vdb Entry
http://www.securitytracker.com/id/1028915	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86437	Vdb Entry
https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f	X_refsource_confirm
https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762	X_refsource_confirm
https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued	2017-11-17

URL	Date	SRC
http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html	2017-11-17
http://rhn.redhat.com/errata/RHSA-2013-1521.html	2017-11-17
http://secunia.com/advisories/54476	2017-11-17
http://www.debian.org/security/2013/dsa-2740	2017-11-17
https://access.redhat.com/security/cve/CVE-2013-6044	2013-11-14
https://bugzilla.redhat.com/show_bug.cgi?id=1016394	2013-11-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.4 Search vendor "Djangoproject" for product "Django" and version "1.4"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.4.1 Search vendor "Djangoproject" for product "Django" and version "1.4.1"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.4.2 Search vendor "Djangoproject" for product "Django" and version "1.4.2"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.4.4 Search vendor "Djangoproject" for product "Django" and version "1.4.4"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.4.5 Search vendor "Djangoproject" for product "Django" and version "1.4.5"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.5 Search vendor "Djangoproject" for product "Django" and version "1.5"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.5.1 Search vendor "Djangoproject" for product "Django" and version "1.5.1"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				1.6 Search vendor "Djangoproject" for product "Django" and version "1.6"		beta1		Affected