Django cross-site request forgery (CSRF) vulnerability

GHSA-r5cj-wv24-92p5 · CVE-2008-3909 · PYSEC-2008-2

Published May 2, 2022 · Modified Sep 16, 2024

Description

The administration application in Django 0.91.x, 0.95.x, and 0.96.x stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2008-3909
WEB https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752
WEB https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e
WEB https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81
WEB https://bugzilla.redhat.com/show_bug.cgi?id=460966
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-2.yaml
WEB https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.html
WEB https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html
WEB http://www.debian.org/security/2008/dsa-1640
WEB http://www.djangoproject.com/weblog/2008/sep/02/security
WEB http://www.openwall.com/lists/oss-security/2008/09/03/4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes