CVE-2008-3909 — Cross-Site Request Forgery in Django

CWE-352 — Cross-Site Request Forgery7 documents6 sources

Severity

5.8MEDIUMNVD

EPSS

0.4%

top 41.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Django Project Django

Timeline

PublishedSep 4

Latest updateMay 2

Description

The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶PyPIdjangoproject/django0.91.0 — 0.91.3+2

▶NVDdjango_project/django0.91, 0.95, 0.96+2

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django cross-site request forgery (CSRF) vulnerability↗2022-05-02

▶

GHSA

Django cross-site request forgery (CSRF) vulnerability↗2022-05-02

▶

CVEList

CVE-2008-3909: The administration application in Django 0↗2008-09-04

▶

OSV

CVE-2008-3909: The administration application in Django 0↗2008-09-04

▶

📋Vendor Advisories

Debian

CVE-2008-3909: python-django - The administration application in Django 0.91, 0.95, and 0.96 stores unauthentic...↗2008

▶

💬Community

Bugzilla

CVE-2008-3909 Django: CSRF issue fixed in 0.96.3↗2008-09-03

▶