GHSA-9CWG-MHXF-HH59 Django cross-site scripting (XSS) vulnerability via is_safe_url function

The issafeurl function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting XSS or other vulnerabilities into Django applications that use this function, a...

Security notice: Django framework arbitrary file include vulnerability-vulnerability warning-the black bar safety net

In the 4 on 2 1 May, based on the python open source web framework Django released a security Bulletin, saying that in≤1.5 version of Django contrib. markup the package there is any file that contains the vulnerability, the attacker may be by docutils to attack. On docutils The Docutils project i...

PYSEC-2013-21

The issafeurl function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting XSS or other vulnerabilities into Django applications that use this function, a...

Cross site scripting

Cross-site scripting XSS vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField...

CVE-2013-4249

Cross-site scripting XSS vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField...

CVE-2013-4249

CVE-2013-4249 affects Django’s AdminURLFieldWidget in contrib/admin/widgets.py, enabling XSS via URLField input. The issue is in Django 1.5.x prior to 1.5.2 and 1.6.x prior to 1.6 beta 2, where user-supplied URLs can inject script/HTML. In the connected records, upstream Django issued security re...

CVE-2013-0305

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information...