CVE-2008-3909
published 2008-09-04CVE-2008-3909: The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication…
PriorityP424medium5.8CVSS 2.0
AVNACMAuNCNIPAP
EPSS
0.93%
56.2th percentile
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.0-1 (bookworm) | python-django 1.0-1 (bookworm) |
| djangoproject | django | >= 0.91 < 0.91.3 | 0.91.3 |
| djangoproject | django | >= 0.91.0 < 0.91.3 | 0.91.3 |
| djangoproject | django | >= 0.95 < 0.95.4 | 0.95.4 |
| djangoproject | django | >= 0.95.0 < 0.95.4 | 0.95.4 |
| djangoproject | django | >= 0.96 < 0.96.3 | 0.96.3 |
| djangoproject | django | >= 0.96.0 < 0.96.3 | 0.96.3 |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
osv5.8MEDIUM
vendor_debian5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django cross-site request forgery (CSRF) vulnerability
osv·2022-05-02
CVE-2008-3909 [HIGH] Django cross-site request forgery (CSRF) vulnerability
Django cross-site request forgery (CSRF) vulnerability
The administration application in Django 0.91.x, 0.95.x, and 0.96.x stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
GHSA
Django cross-site request forgery (CSRF) vulnerability
ghsa·2022-05-02
CVE-2008-3909 [HIGH] CWE-352 Django cross-site request forgery (CSRF) vulnerability
Django cross-site request forgery (CSRF) vulnerability
The administration application in Django 0.91.x, 0.95.x, and 0.96.x stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
OSV
CVE-2008-3909: The administration application in Django 0
osv·2008-09-04·CVSS 5.8
CVE-2008-3909 [MEDIUM] CVE-2008-3909: The administration application in Django 0
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
Debian
CVE-2008-3909: python-django - The administration application in Django 0.91, 0.95, and 0.96 stores unauthentic...
vendor_debian·2008·CVSS 5.8
CVE-2008-3909 [MEDIUM] CVE-2008-3909: python-django - The administration application in Django 0.91, 0.95, and 0.96 stores unauthentic...
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
Scope: local
bookworm: resolved (fixed in 1.0-1)
bullseye: resolved (fixed in 1.0-1)
forky: resolved (fixed in 1.0-1)
sid: resolved (fixed in 1.0-1)
trixie: resolved (fixed in 1.0-1)
No detection rules found.
No public exploits indexed.
http://osvdb.org/47906http://secunia.com/advisories/31837http://secunia.com/advisories/31961http://www.debian.org/security/2008/dsa-1640http://www.djangoproject.com/weblog/2008/sep/02/security/http://www.openwall.com/lists/oss-security/2008/09/03/4http://www.vupen.com/english/advisories/2008/2533https://bugzilla.redhat.com/show_bug.cgi?id=460966https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.htmlhttp://osvdb.org/47906http://secunia.com/advisories/31837http://secunia.com/advisories/31961http://www.debian.org/security/2008/dsa-1640http://www.djangoproject.com/weblog/2008/sep/02/security/http://www.openwall.com/lists/oss-security/2008/09/03/4http://www.vupen.com/english/advisories/2008/2533https://bugzilla.redhat.com/show_bug.cgi?id=460966https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html
2008-09-04
Published