CVE-2008-3909

high

Description

The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.

References

https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html

https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.html

https://bugzilla.redhat.com/show_bug.cgi?id=460966

http://www.vupen.com/english/advisories/2008/2533

http://www.openwall.com/lists/oss-security/2008/09/03/4

http://www.djangoproject.com/weblog/2008/sep/02/security/

http://www.debian.org/security/2008/dsa-1640

http://secunia.com/advisories/31961

http://secunia.com/advisories/31837

http://osvdb.org/47906

Details

Source: Mitre, NVD

Published: 2008-09-04

Updated: 2011-03-08

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High