[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248364

 
 

909

 
 

195388

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2012-4520Date: (C)2012-11-19   (M)2023-12-22


The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 6.4
Exploit Score: 10.0
Impact Score: 4.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: NONE
  
Reference:
SECTRACK-1027708
SECUNIA-51033
SECUNIA-51314
OSVDB-86493
DSA-2634
FEDORA-2012-16406
FEDORA-2012-16417
FEDORA-2012-16440
USN-1632-1
USN-1757-1
http://www.openwall.com/lists/oss-security/2012/10/30/4
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
https://bugzilla.redhat.com/show_bug.cgi?id=865164
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
https://www.djangoproject.com/weblog/2012/oct/17/security/

CPE    8
cpe:/a:djangoproject:django:1.4
cpe:/a:djangoproject:django:1.3
cpe:/a:djangoproject:django:1.3:alpha1
cpe:/a:djangoproject:django:1.3:beta1
...
CWE    1
CWE-20
OVAL    7
oval:org.secpod.oval:def:302986
oval:org.secpod.oval:def:104273
oval:org.secpod.oval:def:701072
oval:org.secpod.oval:def:104265
...

© SecPod Technologies