Detections
Analytics
Debian DSA-2163-1 : python-django - multiple vulnerabilities
medium Nessus Plugin ID 51979
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Several vulnerabilities were discovered in the Django web development framework :- CVE-2011-0696 For several reasons the internal CSRF protection was not used to validate AJAX requests in the past. However, it was discovered that this exception can be exploited with a combination of browser plugins and redirects and thus is not sufficient.
- CVE-2011-0697 It was discovered that the file upload form is prone to cross-site scripting attacks via the file name.
It is important to note that this update introduces minor backward incompatibilities due to the fixes for the above issues. For the exact details, please see: and in particular the 'Backwards incompatible changes' section.
Packages in the oldstable distribution (lenny) are not affected by these problems.
Solution
Upgrade the python-django packages.For the stable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze1.
See Also
https://security-tracker.debian.org/tracker/CVE-2011-0696
https://security-tracker.debian.org/tracker/CVE-2011-0697
Plugin Details
Severity: Medium
ID: 51979
File Name: debian_DSA-2163.nasl
Version: 1.14
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 2/15/2011
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:python-django, cpe:/o:debian:debian_linux:6.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 2/14/2011
Reference Information
CVE: CVE-2011-0696, CVE-2011-0697
BID: 46296
DSA: 2163