CVE-2011-4140 — Cross-Site Request Forgery in Django

CWE-352 — Cross-Site Request Forgery9 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.3%

top 42.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 19

Latest updateJul 23

Description

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDdjangoproject/django1.2.6+18

▶PyPIdjangoproject/django1.3 — 1.3.1+1

Patches

Patch: openwall.com ↗Patch: openwall.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Django Cross-Site Request Forgery vulnerability↗2018-07-23

▶

OSV

Django Cross-Site Request Forgery vulnerability↗2018-07-23

▶

CVEList

CVE-2011-4140: The CSRF protection mechanism in Django through 1↗2011-10-19

▶

OSV

CVE-2011-4140: The CSRF protection mechanism in Django through 1↗2011-10-19

▶

💥Exploits & PoCs

Exploit-DB

Open Flash Chart 2 - Arbitrary File Upload (Metasploit)↗2013-10-26

▶

📋Vendor Advisories

Debian

CVE-2011-4140: python-django - The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 do...↗2011

▶

💬Community

Bugzilla

CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]↗2011-09-30

▶

Bugzilla

CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws↗2011-09-11

▶