VDB
GCVE-110-MAGEIA-2013-283
GCVE-110-MAGEIA-2013-283
Advisory Published
Rainer Koirikivi discovered a directory traversal vulnerability with
'ssi' template tags in python-django, a high-level Python web development
framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS'
setting, used to represent allowed prefixes for the {% ssi %} template
tag, is vulnerable to a directory traversal attack, by specifying a file
path which begins as the absolute path of a directory in
'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To
exploit this vulnerability an attacker must be in a position to alter
templates on the site, or the site to be attacked must have one or more
templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | python-django | 0 (affected), 1.3.7-1.2.mga2 (unaffected) | — |
Aliases
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.