Skip to content

Moderate severity vulnerability that affects django

Moderate severity GitHub Reviewed Published Jul 23, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

pip django (pip)

Affected versions

< 1.2.7
>= 1.3.0, < 1.3.1

Patched versions

1.2.7
1.3.1

Description

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

References

Published to the GitHub Advisory Database Jul 23, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2011-4140

GHSA ID

GHSA-h95j-h2rv-qrg4

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.