cbcvebase.
CVE-2016-7401
published 2016-10-03

CVE-2016-7401: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an…

PriorityP348high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
6.13%
92.6th percentile
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Affected

20 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
collectdcollectd>= 0 < 5.4.0-3ubuntu2.2+esm15.4.0-3ubuntu2.2+esm1
collectdcollectd>= 0 < 5.5.1-1ubuntu0.1~esm15.5.1-1ubuntu0.1~esm1
debiandebian_linux
debianpython-django< python-django 1:1.10-1 (bookworm)python-django 1:1.10-1 (bookworm)
djangoprojectdjango<= 1.8.14
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango>= 0 < 1.8.151.8.15
djangoprojectdjango>= 1.9 < 1.9.101.9.10

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.1CRITICAL
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.