Description

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

Remediation

References

CVE-2011-4140

Related Vulnerabilities

EspoCRM Improper Restriction of Excessive Authentication Attempts Vulnerability (CVE-2019-14351)

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5748)

WordPress 4.9.x Multiple Vulnerabilities (4.9 - 4.9.11)

WordPress Plugin Uploader 'num' Parameter Cross-Site Scripting (1.0.0)

WordPress Plugin WordPress Button Plugin MaxButtons Security Bypass (1.19.0)

Severity

Medium

Classification

CVE-2011-4140 CWE-352

Tags

Missing Update Known Vulnerabilities