cve/2013/CVE-2013-6044.md

### [CVE-2013-6044](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6044)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

### POC

#### Reference
- http://seclists.org/oss-sec/2013/q3/369
- https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued

#### Github
No PoCs found on GitHub currently.
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2013-6044](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6044)`
			`![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			`The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.`

			`### POC`

			`#### Reference`
			`- http://seclists.org/oss-sec/2013/q3/369`
			`- https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued`

			`#### Github`
			`No PoCs found on GitHub currently.`