CVE-2007-0405

high

Description

The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/31628

http://www.securityfocus.com/bid/22138

http://secunia.com/advisories/23826

http://code.djangoproject.com/changeset/3754

Details

Source: Mitre, NVD

Published: 2007-01-23

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00453