pysec-2016-3
Vulnerability from pysec
Published
2016-10-03 18:59
Modified
2021-07-05 00:01
Details
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Impacted products
| Name | purl |
|---|---|
| django | pkg:pypi/django |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "django", purl: "pkg:pypi/django", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.8.15", }, { introduced: "1.9", }, { fixed: "1.9.10", }, ], type: "ECOSYSTEM", }, ], versions: [ "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", ], }, ], aliases: [ "CVE-2016-7401", ], details: "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", id: "PYSEC-2016-3", modified: "2021-07-05T00:01:20.518242Z", published: "2016-10-03T18:59:00Z", references: [ { type: "WEB", url: "http://www.securitytracker.com/id/1036899", }, { type: "ARTICLE", url: "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/", }, { type: "ADVISORY", url: "http://www.debian.org/security/2016/dsa-3678", }, { type: "WEB", url: "http://www.securityfocus.com/bid/93182", }, { type: "ADVISORY", url: "http://www.ubuntu.com/usn/USN-3089-1", }, { type: "ADVISORY", url: "http://rhn.redhat.com/errata/RHSA-2016-2043.html", }, { type: "ADVISORY", url: "http://rhn.redhat.com/errata/RHSA-2016-2042.html", }, { type: "ADVISORY", url: "http://rhn.redhat.com/errata/RHSA-2016-2041.html", }, { type: "ADVISORY", url: "http://rhn.redhat.com/errata/RHSA-2016-2040.html", }, { type: "ADVISORY", url: "http://rhn.redhat.com/errata/RHSA-2016-2039.html", }, { type: "ADVISORY", url: "http://rhn.redhat.com/errata/RHSA-2016-2038.html", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.