CVE-2013-4249

Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.

Published: Oct 4, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-4249
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
djangoproject / django	1.5	1.5.x
djangoproject / django	1.5.1	1.5.1.x
djangoproject / django	1.5-beta	1.5-beta.x
djangoproject / django	1.6-beta1	1.6-beta1.x
djangoproject / django	1.5-alpha	1.5-alpha.x

http://seclists.org/oss-sec/2013/q3/369
http://seclists.org/oss-sec/2013/q3/411
http://secunia.com/advisories/54476
http://www.securitytracker.com/id/1028915
https://exchange.xforce.ibmcloud.com/vulnerabilities/86438
https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78
https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued

Vulnerability Database

289,697

CVE-2013-4249