CVE-2008-3909

The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.

Published Bycve@mitre.org

Published DateSep 04, 2008, 17:41

Affected Versions(3)

Django(PyPI)

Introduced0.91.0

Fixed0.91.3

LimitN/A

Django(PyPI)

Introduced0.95.0

Fixed0.95.4

LimitN/A

Django(PyPI)

Introduced0.96.0

Fixed0.96.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
Django(PyPI)	0.91.0	0.91.3	N/A
Django(PyPI)	0.95.0	0.95.4	N/A
Django(PyPI)	0.96.0	0.96.3	N/A

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

5.8

Vector String

AV:N/AC:M/Au:N/C:N/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

5.8

Vector String

AV:N/AC:M/Au:N/C:N/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

PARTIAL