CVE-2011-0696Cross-Site Request Forgery in Django

CWE-352Cross-Site Request Forgery17 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
2.8%
top 13.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsDjangoproject DjangoActionpack Project Actionpack
Timeline
PublishedFeb 14
Latest updateJul 23

Description

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages5 packages

PyPIdjangoproject/django1.11.1.4+1
NVDdjangoproject/django9 versions+8
RubyGemsactionpack_project/actionpack2.1.02.3.11+1
Debianrubyonrails/rails< 2.3.11-0.1+3
NVDrubyonrails/rails16 versions+15

Patches

Patch: openwall.comPatch: www.djangoproject.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

8
GHSA
Cross-site request forgery in Django2018-07-23
OSV
Cross-site request forgery in Django2018-07-23
GHSA
actionpack Cross-Site Request Forgery vulnerability2017-10-24
OSV
actionpack Cross-Site Request Forgery vulnerability2017-10-24
OSV
CVE-2011-0696: Django 12011-02-14

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2011-02-17
Debian
CVE-2011-0447: rails - Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does ...2011
Debian
CVE-2011-0696: python-django - Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP...2011

💬Community

3
Bugzilla
CVE-2011-0447 rubygem-actionpack: CSRF flaws due improper validation of HTTP headers containing X-Requested-With header2011-02-15
Bugzilla
CVE-2011-0696 CVE-2011-0697 Django various flaws [fedora-all]2011-02-09
Bugzilla
CVE-2011-0696 django Flaw in CSRF handling2011-02-09
CVE-2011-0696 — Cross-Site Request Forgery in Django | cvebase