4.3

CVE-2013-6044

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DjangoprojectDjango Version1.4
DjangoprojectDjango Version1.4.1
DjangoprojectDjango Version1.4.2
DjangoprojectDjango Version1.4.4
DjangoprojectDjango Version1.4.5
DjangoprojectDjango Version1.5
DjangoprojectDjango Version1.5.1
DjangoprojectDjango Version1.6 Updatebeta1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.3% 0.81
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html
http://rhn.redhat.com/errata/RHSA-2013-1521.html
http://seclists.org/oss-sec/2013/q3/369
http://seclists.org/oss-sec/2013/q3/411
http://secunia.com/advisories/54476
Vendor Advisory
http://www.securitytracker.com/id/1028915
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
Patch
Vendor Advisory
http://www.debian.org/security/2013/dsa-2740
http://www.securityfocus.com/bid/61777
https://exchange.xforce.ibmcloud.com/vulnerabilities/86437
https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a