cbcvebase.
CVE-2011-4140
published 2011-10-19

CVE-2011-4140: The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host…

PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
1.09%
61.3th percentile
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 1.3.1-1 (bookworm)python-django 1.3.1-1 (bookworm)
djangoprojectdjango<= 1.2.6
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango0 – 1.2.7
djangoprojectdjango1.3 – 1.3.1

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.