CVE-2007-0404 – django

Package

Manager: pip
Name: django
Vulnerable Version: =0.95 || >=0.95 <1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0055 pctl0.66989

Details

Django Arbitrary Code Execution `bin/compile-messages.py` in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.

Metadata

Created: 2022-05-01T17:44:04Z
Modified: 2025-04-09T14:34:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qc99-g3wm-hgxr/GHSA-qc99-g3wm-hgxr.json
CWE IDs: []
Alternative ID: GHSA-qc99-g3wm-hgxr
Finding: F004
Auto approve: 1