CVE-2011-4136 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=0 <1.2.7 || >=1.3 <1.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01022 pctl0.76389

Details

Session manipulation in Django django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

Metadata

Created: 2018-07-23T19:52:39Z
Modified: 2024-09-16T23:03:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-x88j-93vc-wpmp
Finding: F184
Auto approve: 1