CVE-2012-4520Improper Input Validation in Django

CWE-20Improper Input Validation15 documents8 sources
Severity
6.4MEDIUMNVD
EPSS
3.9%
top 11.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedNov 18
Latest updateMay 17

Description

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

PyPIdjangoproject/django1.31.3.4+1
NVDdjangoproject/django6 versions+5

Patches

Patch: www.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

4
OSV
Django Allows Arbitrary URL Generation2022-05-17
GHSA
Django Allows Arbitrary URL Generation2022-05-17
OSV
CVE-2012-4520: The django2012-11-18
CVEList
CVE-2012-4520: The django2012-11-18

📋Vendor Advisories

5
Ubuntu
Django vulnerabilities2013-03-07
Ubuntu
Django vulnerability2012-11-15
Red Hat
Django: Host header poisoning vulnerability2012-10-17
Debian
CVE-2012-4520: python-django - The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1...2012
Red Hat
libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.252009-09-16

💬Community

5
Bugzilla
CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.252013-11-06
Bugzilla
Django: Host header poisoning hardening2013-02-20
Bugzilla
CVE-2012-4520 Django: Host header poisoning vulnerability [fedora-all]2012-10-18
Bugzilla
CVE-2012-4520 Django: Host header poisoning vulnerability [epel-6]2012-10-18
Bugzilla
CVE-2012-4520 Django: Host header poisoning vulnerability2012-10-10
CVE-2012-4520 — Improper Input Validation in Django | cvebase