CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5828
https://notcve.org/view.php?id=CVE-2007-5828
05 Nov 2007 — Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module ** EN DISPUTA ** La vulnerabilidad de falsificación de solici... • http://osvdb.org/45285 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 3.7EPSS: 1%CPEs: 4EXPL: 0CVE-2007-5712 – Debian Linux Security Advisory 1640-1
https://notcve.org/view.php?id=CVE-2007-5712
30 Oct 2007 — The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers. El framework de internacionalización (i18n) en Django versiones 0.91, 0.95, 0.95.1 y 0.96, tal y como es usado en otros productos como PyLucid, cuando la opción USE_I18N y el componente i18... • http://secunia.com/advisories/27435 • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-0404
https://notcve.org/view.php?id=CVE-2007-0404
23 Jan 2007 — bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file. bin/compile-messages.py en Django 0.95 no pone comillas a argumentos de cadena antes de invocar a la función msgfmt a través de la función os.system, lo cual permite a atacantes ejecutar comandos de su elección mediante meta caracteres de shell en un fichero (1) .po... • http://code.djangoproject.com/changeset/3592 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-0405
https://notcve.org/view.php?id=CVE-2007-0405
23 Jan 2007 — The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user. La clase LazyUser en la AuthenticationMiddleware para Django versión 0.95, no almacena apropiadamente el nombre de usuario de la caché tras peticiones, lo que permite a usuarios autenticados remoto alcanzar los privilegios de un usuario diferente. • http://code.djangoproject.com/changeset/3754 •