CVE-2007-5828

** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://osvdb.org/45285
http://securityreason.com/securityalert/3338
http://www.securityfocus.com/archive/1/482983/100/0/threaded

Configurations

Configuration 1 (hide)

cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*

History

No history.

Information

Published : 2007-11-05 19:46

Updated : 2024-08-07 16:15

NVD link : CVE-2007-5828

Mitre link : CVE-2007-5828

CVE.ORG link : CVE-2007-5828

JSON object : View

Products Affected

django_project

django

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2007-5828", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2007-11-05T19:46:00.000", "references": [{"url": "http://osvdb.org/45285", "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/3338", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/482983/100/0/threaded", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module"}, {"lang": "es", "value": "** EN DISPUTA ** La vulnerabilidad de falsificaci\u00f3n de solicitudes entre sitios (CSRF) en el panel de administraci\u00f3n en Django 0.96 permite a los atacantes remotos cambiar las contrase\u00f1as de usuarios arbitrarios mediante una solicitud a admin / auth / user / 1 / password /. NOTA: Debian ha disputado este problema, ya que la documentaci\u00f3n del producto incluye una recomendaci\u00f3n para un m\u00f3dulo de protecci\u00f3n CSRF que se incluye con el producto. Sin embargo, CVE considera que esto es un problema porque la configuraci\u00f3n predeterminada no usa este m\u00f3dulo."}], "lastModified": "2024-08-07T16:15:32.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F54F75F-B2BC-4A44-B93B-DB75856BEC45"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}