6.8

CVE-2011-4140

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DjangoprojectDjango Version <= 1.2.6
DjangoprojectDjango Version0.91
DjangoprojectDjango Version0.95
DjangoprojectDjango Version0.95.1
DjangoprojectDjango Version0.96
DjangoprojectDjango Version1.0
DjangoprojectDjango Version1.0.1
DjangoprojectDjango Version1.0.2
DjangoprojectDjango Version1.1
DjangoprojectDjango Version1.1.0
DjangoprojectDjango Version1.1.2
DjangoprojectDjango Version1.1.3
DjangoprojectDjango Version1.2
DjangoprojectDjango Version1.2.1
DjangoprojectDjango Version1.2.1 Update2
DjangoprojectDjango Version1.2.2
DjangoprojectDjango Version1.2.3
DjangoprojectDjango Version1.2.4
DjangoprojectDjango Version1.2.5
DjangoprojectDjango Version1.3
DjangoprojectDjango Version1.3 Updatealpha1
DjangoprojectDjango Version1.3 Updatealpha2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.09% 0.611
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://openwall.com/lists/oss-security/2011/09/11/1
Patch
http://openwall.com/lists/oss-security/2011/09/13/2
Patch
https://bugzilla.redhat.com/show_bug.cgi?id=737366
Patch
https://www.djangoproject.com/weblog/2011/sep/09/
Patch
Vendor Advisory
https://www.djangoproject.com/weblog/2011/sep/10/127/
Patch
http://secunia.com/advisories/46614
http://www.debian.org/security/2011/dsa-2332
https://hermes.opensuse.org/messages/14700881