CVE-2012-4520
Severity Score
6.4
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
La función django.http.HttpRequest.get_host en Django v1.3.x antes de v1.3.4 y v1.4.x antes de v1.4.2, permite a atacantes remotos generar y mostrar URLs de su elección a través de nombre de usuario y contraseña de la cabecera Host manipulados.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-08-21 CVE Reserved
- 2012-11-16 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (17)
| URL | Tag | Source |
|---|---|---|
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145 | X_refsource_misc | |
| http://securitytracker.com/id?1027708 | Vdb Entry | |
| http://www.openwall.com/lists/oss-security/2012/10/30/4 | Mailing List |
|
| http://www.osvdb.org/86493 | Vdb Entry | |
| https://bugzilla.redhat.com/show_bug.cgi?id=865164 | X_refsource_misc | |
| https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3 | X_refsource_confirm | |
| https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e | X_refsource_confirm | |
| https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.djangoproject.com/weblog/2012/oct/17/security | 2013-05-04 |
| URL | Date | SRC |
|---|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html | 2013-05-04 | |
| http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html | 2013-05-04 | |
| http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html | 2013-05-04 | |
| http://secunia.com/advisories/51033 | 2013-05-04 | |
| http://secunia.com/advisories/51314 | 2013-05-04 | |
| http://ubuntu.com/usn/usn-1632-1 | 2013-05-04 | |
| http://ubuntu.com/usn/usn-1757-1 | 2013-05-04 | |
| http://www.debian.org/security/2013/dsa-2634 | 2013-05-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.3 Search vendor "Djangoproject" for product "Django" and version "1.3" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.3 Search vendor "Djangoproject" for product "Django" and version "1.3" | alpha1 |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.3 Search vendor "Djangoproject" for product "Django" and version "1.3" | beta1 |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.3.1 Search vendor "Djangoproject" for product "Django" and version "1.3.1" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.3.2 Search vendor "Djangoproject" for product "Django" and version "1.3.2" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.3.3 Search vendor "Djangoproject" for product "Django" and version "1.3.3" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4 Search vendor "Djangoproject" for product "Django" and version "1.4" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.1 Search vendor "Djangoproject" for product "Django" and version "1.4.1" | - |
Affected
| ||||||