CVE-2010-4535 — Improper Input Validation in Django

CWE-20 — Improper Input Validation9 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

4.7%

top 10.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJan 10

Latest updateJul 23

Description

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.2 — 1.2.4+1

▶NVDdjangoproject/django1.1.2+14

Patches

Patch: code.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Improper date handling in Django↗2018-07-23

▶

GHSA

Improper date handling in Django↗2018-07-23

▶

CVEList

CVE-2010-4535: The password reset functionality in django↗2011-01-10

▶

OSV

CVE-2010-4535: The password reset functionality in django↗2011-01-10

▶

💥Exploits & PoCs

Exploit-DB

Mongoose Web Server 2.8 - Multiple Directory Traversals↗2010-04-20

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2011-01-07

▶

Debian

CVE-2010-4535: python-django - The password reset functionality in django.contrib.auth in Django before 1.1.3, ...↗2010

▶

💬Community

Bugzilla

CVE-2010-4534, CVE-2010-4535 Information leakage and DoS vulnerabilities in Django < 1.2.4 & 1.1.3↗2010-12-23

▶