{"id": "OPENVAS:860513", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for Django FEDORA-2008-4191", "description": "Check for the Version of Django", "published": "2009-02-17T00:00:00", "modified": "2017-07-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=860513", "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "references": ["2008-4191", "https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00496.html"], "cvelist": ["CVE-2008-2302", "CVE-2007-5712"], "lastseen": "2017-07-25T10:56:52", "viewCount": 5, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2017-07-25T10:56:52", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-2302", "CVE-2008-4191", "CVE-2007-5712"]}, {"type": "nessus", "idList": ["DJANGO_ADMIN_XSS.NASL", "FEDORA_2008-4191.NASL", "FREEBSD_PKG_F49BA347219011DD907C001C2514716C.NASL", "FEDORA_2007-2788.NASL", "FEDORA_2008-4248.NASL", "FEDORA_2007-3157.NASL", "DEBIAN_DSA-1640.NASL", "FEDORA_2008-4267.NASL"]}, {"type": "fedora", "idList": ["FEDORA:LA9NRG8S013795", "FEDORA:M4LAVSU6014813", "FEDORA:M4LB5LYS016141", "FEDORA:M4LB3NDJ015891", "FEDORA:LA9NWBWU014414", "FEDORA:B0E53208DAC"]}, {"type": "openvas", "idList": ["OPENVAS:61058", "OPENVAS:860098", "OPENVAS:861339", "OPENVAS:860102", "OPENVAS:860395", "OPENVAS:61642", "OPENVAS:861478"]}, {"type": "freebsd", "idList": ["F49BA347-2190-11DD-907C-001C2514716C"]}, {"type": "osvdb", "idList": ["OSVDB:38905"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1640-1:7E9F5"]}], "modified": "2017-07-25T10:56:52", "rev": 2}, "vulnersScore": 5.9}, "pluginID": "860513", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2008-4191\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 7\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00496.html\");\n script_id(860513);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:47:15 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-4191\");\n script_cve_id(\"CVE-2008-2302\", \"CVE-2007-5712\");\n script_name( \"Fedora Update for Django FEDORA-2008-4191\");\n\n script_summary(\"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.2~1.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "naslFamily": "Fedora Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T05:31:27", "description": "The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.", "edition": 4, "cvss3": {}, "published": "2007-10-30T19:46:00", "title": "CVE-2007-5712", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-5712"], "modified": "2017-07-29T01:33:00", "cpe": ["cpe:/a:django_project:django:0.95", "cpe:/a:django_project:django:0.96", "cpe:/a:django_project:django:0.95.1", "cpe:/a:django_project:django:0.91"], "id": "CVE-2007-5712", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:django_project:django:0.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:django_project:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:django_project:django:0.95:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:13", "description": "Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.", "edition": 4, "cvss3": {}, "published": "2008-05-23T15:32:00", "title": "CVE-2008-2302", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2302"], "modified": "2017-08-08T01:30:00", "cpe": ["cpe:/a:django_project:django:0.95", "cpe:/a:django_project:django:0.96", "cpe:/a:django_project:django:0.91"], "id": "CVE-2008-2302", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:django_project:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:django_project:django:0.95:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-12T10:06:32", "description": " - Mon May 19 2008 Michel Salim <salimma at\n fedoraproject.org> - 0.96.2-1\n\n - XSS security update: CVE-2008-2302 (bz# 442757-60)\n\n - Sat Apr 5 2008 Michel Salim <salimma at\n fedoraproject.org> - 0.96.1-2\n\n - Package .egg-info file on Fedora >= 9\n\n - Thu Nov 1 2007 Michel Salim <michel.sylvan at\n gmail.com> 0.96.1-1\n\n - i18n security update: CVE-2007-5712, bz#357051\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-05-22T00:00:00", "title": "Fedora 7 : Django-0.96.2-1.fc7 (2008-4191)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302", "CVE-2007-5712"], "modified": "2008-05-22T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:Django", "cpe:/o:fedoraproject:fedora:7"], "id": "FEDORA_2008-4191.NASL", "href": "https://www.tenable.com/plugins/nessus/32409", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-4191.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32409);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-2302\");\n script_bugtraq_id(29209);\n script_xref(name:\"FEDORA\", value:\"2008-4191\");\n\n script_name(english:\"Fedora 7 : Django-0.96.2-1.fc7 (2008-4191)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Mon May 19 2008 Michel Salim <salimma at\n fedoraproject.org> - 0.96.2-1\n\n - XSS security update: CVE-2008-2302 (bz# 442757-60)\n\n - Sat Apr 5 2008 Michel Salim <salimma at\n fedoraproject.org> - 0.96.1-2\n\n - Package .egg-info file on Fedora >= 9\n\n - Thu Nov 1 2007 Michel Salim <michel.sylvan at\n gmail.com> 0.96.1-1\n\n - i18n security update: CVE-2007-5712, bz#357051\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=446402\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/010148.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a2f9c072\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"Django-0.96.2-1.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:51:26", "description": "Django project reports :\n\nThe Django administration application will, when accessed by a user\nwho is not sufficiently authenticated, display a login form and ask\nthe user to provide the necessary credentials before displaying the\nrequested page. This form will be submitted to the URL the user\nattempted to access, by supplying the current request path as the\nvalue of the form's 'action' attribute.\n\nThe value of the request path was not being escaped, creating an\nopportunity for a cross-site scripting (XSS) attack by leading a user\nto a URL which contained URL-encoded HTML and/or JavaScript in the\nrequest path.", "edition": 26, "published": "2008-05-16T00:00:00", "title": "FreeBSD : django -- XSS vulnerability (f49ba347-2190-11dd-907c-001c2514716c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "modified": "2008-05-16T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py23-django", "p-cpe:/a:freebsd:freebsd:py24-django", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:py25-django", "p-cpe:/a:freebsd:freebsd:py25-django-devel", "p-cpe:/a:freebsd:freebsd:py24-django-devel", "p-cpe:/a:freebsd:freebsd:py23-django-devel"], "id": "FREEBSD_PKG_F49BA347219011DD907C001C2514716C.NASL", "href": "https://www.tenable.com/plugins/nessus/32350", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32350);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-2302\");\n\n script_name(english:\"FreeBSD : django -- XSS vulnerability (f49ba347-2190-11dd-907c-001c2514716c)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Django project reports :\n\nThe Django administration application will, when accessed by a user\nwho is not sufficiently authenticated, display a login form and ask\nthe user to provide the necessary credentials before displaying the\nrequested page. This form will be submitted to the URL the user\nattempted to access, by supplying the current request path as the\nvalue of the form's 'action' attribute.\n\nThe value of the request path was not being escaped, creating an\nopportunity for a cross-site scripting (XSS) attack by leading a user\nto a URL which contained URL-encoded HTML and/or JavaScript in the\nrequest path.\"\n );\n # http://www.djangoproject.com/weblog/2008/may/14/security/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2008/may/14/security/\"\n );\n # https://vuxml.freebsd.org/freebsd/f49ba347-2190-11dd-907c-001c2514716c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34708d23\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py23-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py23-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py24-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py24-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py25-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py25-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py23-django<0.96.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py24-django<0.96.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py25-django<0.96.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py23-django-devel<20080511\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py24-django-devel<20080511\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py25-django-devel<20080511\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:32", "description": " - Bug #446402 - CVE-2008-2302 Django: administration\n application XSS\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-05-22T00:00:00", "title": "Fedora 8 : Django-0.96.2-1.fc8 (2008-4248)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "modified": "2008-05-22T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:Django", "cpe:/o:fedoraproject:fedora:8"], "id": "FEDORA_2008-4248.NASL", "href": "https://www.tenable.com/plugins/nessus/32411", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-4248.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32411);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-2302\");\n script_bugtraq_id(29209);\n script_xref(name:\"FEDORA\", value:\"2008-4248\");\n\n script_name(english:\"Fedora 8 : Django-0.96.2-1.fc8 (2008-4248)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Bug #446402 - CVE-2008-2302 Django: administration\n application XSS\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=446402\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/010232.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5d5ae607\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"Django-0.96.2-1.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:32", "description": " - Mon May 19 2008 Michel Salim <salimma at\n fedoraproject.org> - 0.96.2-1\n\n - XSS security update: CVE-2008-2302 (bz# 442757-60)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-05-22T00:00:00", "title": "Fedora 9 : Django-0.96.2-1.fc9 (2008-4267)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "modified": "2008-05-22T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:Django", "cpe:/o:fedoraproject:fedora:9"], "id": "FEDORA_2008-4267.NASL", "href": "https://www.tenable.com/plugins/nessus/32413", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-4267.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32413);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-2302\");\n script_bugtraq_id(29209);\n script_xref(name:\"FEDORA\", value:\"2008-4267\");\n\n script_name(english:\"Fedora 9 : Django-0.96.2-1.fc9 (2008-4267)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Mon May 19 2008 Michel Salim <salimma at\n fedoraproject.org> - 0.96.2-1\n\n - XSS security update: CVE-2008-2302 (bz# 442757-60)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=446402\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/010252.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a777fa77\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"Django-0.96.2-1.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T10:03:33", "description": "The remote host is using Django, a high-level Python web framework\ndesigned for rapid development of database-driven websites. \n\nThe administration application included with the version of Django\ninstalled on the remote host fails to sanitize the URL before using it\nto generate dynamic HTML output. An attacker may be able to leverage\nthis to inject arbitrary HTML and script code into a user's browser to\nbe executed within the security context of the affected site.", "edition": 24, "published": "2008-05-15T00:00:00", "title": "Django Administration Application Login Form XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "modified": "2008-05-15T00:00:00", "cpe": [], "id": "DJANGO_ADMIN_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/32319", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32319);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2008-2302\");\n script_bugtraq_id(29209);\n script_xref(name:\"Secunia\", value:\"30250\");\n\n script_name(english:\"Django Administration Application Login Form XSS\");\n script_summary(english:\"Tries to inject script code into login form\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a web framework that is affected by a\ncross-site scripting vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is using Django, a high-level Python web framework\ndesigned for rapid development of database-driven websites. \n\nThe administration application included with the version of Django\ninstalled on the remote host fails to sanitize the URL before using it\nto generate dynamic HTML output. An attacker may be able to leverage\nthis to inject arbitrary HTML and script code into a user's browser to\nbe executed within the security context of the affected site.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.djangoproject.com/weblog/2008/may/14/security/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Django version 0.96.2 / 0.95.3 / 0.91.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/05/15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"cross_site_scripting.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, embedded: 0);\nif (get_kb_item(\"www/\"+port+\"/generic_xss\")) exit(0);\n\n\nexploit = string('nessus\">', \"<script>alert('\", SCRIPT_NAME, \"')</script>/\");\n\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/admin\", cgi_dirs()));\nelse dirs = make_list(cgi_dirs());\n\nforeach dir (dirs)\n{\n # Try the exploit.\n r = http_send_recv3(method: \"GET\", port: port, item:string(dir, \"/\", urlencode(str:exploit)));\n if (isnull(r)) exit(0);\n\n # There's a problem if we see our exploit in the form.\n if (\n (\n 'Django site admin<' >< r[2] ||\n '>Django administration' >< r[2] ||\n 'name=\"this_is_the_login_form\"' >< r[2]\n ) &&\n string('<form action=\"/admin/', exploit) >< r[2]\n )\n {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:09", "description": " - Thu Nov 1 2007 Michel Salim <michel.sylvan at gmail.com>\n 0.96.1-1\n\n - i18n security update: CVE-2007-5712, bz#357051\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2007-11-12T00:00:00", "title": "Fedora 7 : Django-0.96.1-1.fc7 (2007-3157)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5712"], "modified": "2007-11-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:Django", "cpe:/o:fedoraproject:fedora:7", "p-cpe:/a:fedoraproject:fedora:Django-docs"], "id": "FEDORA_2007-3157.NASL", "href": "https://www.tenable.com/plugins/nessus/28164", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2007-3157.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(28164);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-5712\");\n script_bugtraq_id(26227);\n script_xref(name:\"FEDORA\", value:\"2007-3157\");\n\n script_name(english:\"Fedora 7 : Django-0.96.1-1.fc7 (2007-3157)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Thu Nov 1 2007 Michel Salim <michel.sylvan at gmail.com>\n 0.96.1-1\n\n - i18n security update: CVE-2007-5712, bz#357051\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=357051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=362761\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2007-November/004661.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cf5e0e6c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django and / or Django-docs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/11/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"Django-0.96.1-1.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"Django-docs-0.96.1-1.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django / Django-docs\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:06:07", "description": " - Bug #362771 - CVE-2007-5712 Django 0.96 i18n DoS [F8]\n\n - Bug #357051 - CVE-2007-5712 Django 0.96 i18n DoS\n\n - CVE-2007-5712\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2007-11-12T00:00:00", "title": "Fedora 8 : Django-0.96.1-1.fc8 (2007-2788)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5712"], "modified": "2007-11-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:Django", "cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:Django-docs"], "id": "FEDORA_2007-2788.NASL", "href": "https://www.tenable.com/plugins/nessus/28152", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2007-2788.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(28152);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-5712\");\n script_bugtraq_id(26227);\n script_xref(name:\"FEDORA\", value:\"2007-2788\");\n\n script_name(english:\"Fedora 8 : Django-0.96.1-1.fc8 (2007-2788)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Bug #362771 - CVE-2007-5712 Django 0.96 i18n DoS [F8]\n\n - Bug #357051 - CVE-2007-5712 Django 0.96 i18n DoS\n\n - CVE-2007-5712\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=357051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=362771\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2007-November/004647.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9480efa8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django and / or Django-docs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/11/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"Django-0.96.1-1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"Django-docs-0.96.1-1.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django / Django-docs\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T09:45:06", "description": "Simon Willison discovered that in Django, a Python web framework, the\nfeature to retain HTTP POST data during user reauthentication allowed\na remote attacker to perform unauthorized modification of data through\ncross site request forgery. This is possible regardless of the Django\nplugin to prevent cross site request forgery being enabled. The Common\nVulnerabilities and Exposures project identifies this issue as\nCVE-2008-3909.\n\nIn this update the affected feature is disabled; this is in accordance\nwith upstream's preferred solution for this situation.\n\nThis update takes the opportunity to also include a relatively minor\ndenial of service attack in the internationalisation framework, known\nas CVE-2007-5712.", "edition": 28, "published": "2008-09-23T00:00:00", "title": "Debian DSA-1640-1 : python-django - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5712", "CVE-2008-3909"], "modified": "2008-09-23T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:python-django"], "id": "DEBIAN_DSA-1640.NASL", "href": "https://www.tenable.com/plugins/nessus/34253", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1640. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(34253);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2007-5712\", \"CVE-2008-3909\");\n script_bugtraq_id(26227, 29209);\n script_xref(name:\"DSA\", value:\"1640\");\n\n script_name(english:\"Debian DSA-1640-1 : python-django - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Simon Willison discovered that in Django, a Python web framework, the\nfeature to retain HTTP POST data during user reauthentication allowed\na remote attacker to perform unauthorized modification of data through\ncross site request forgery. This is possible regardless of the Django\nplugin to prevent cross site request forgery being enabled. The Common\nVulnerabilities and Exposures project identifies this issue as\nCVE-2008-3909.\n\nIn this update the affected feature is disabled; this is in accordance\nwith upstream's preferred solution for this situation.\n\nThis update takes the opportunity to also include a relatively minor\ndenial of service attack in the internationalisation framework, known\nas CVE-2007-5712.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497765\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448838\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-3909\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2007-5712\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2008/dsa-1640\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the python-django package.\n\nFor the stable distribution (etch), these problems have been fixed in\nversion 0.95.1-1etch2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(352, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"python-django\", reference:\"0.95.1-1etch2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2007-5712", "CVE-2008-2302"], "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "modified": "2008-05-21T10:57:57", "published": "2008-05-21T10:57:57", "id": "FEDORA:M4LAVSU6014813", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 7 Update: Django-0.96.2-1.fc7", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2302"], "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "modified": "2008-05-21T11:04:20", "published": "2008-05-21T11:04:20", "id": "FEDORA:M4LB3NDJ015891", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: Django-0.96.2-1.fc8", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2302"], "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "modified": "2008-05-21T11:06:46", "published": "2008-05-21T11:06:46", "id": "FEDORA:M4LB5LYS016141", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: Django-0.96.2-1.fc9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2302"], "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "modified": "2008-09-10T06:40:54", "published": "2008-09-10T06:40:54", "id": "FEDORA:B0E53208DAC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: Django-0.96.3-1.fc9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:48", "bulletinFamily": "unix", "cvelist": ["CVE-2007-5712"], "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "modified": "2007-11-09T23:58:29", "published": "2007-11-09T23:58:29", "id": "FEDORA:LA9NWBWU014414", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 7 Update: Django-0.96.1-1.fc7", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:48", "bulletinFamily": "unix", "cvelist": ["CVE-2007-5712"], "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "modified": "2007-11-09T23:53:43", "published": "2007-11-09T23:53:43", "id": "FEDORA:LA9NRG8S013795", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: Django-0.96.1-1.fc8", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2017-07-25T10:57:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "description": "Check for the Version of Django", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860102", "href": "http://plugins.openvas.org/nasl.php?oid=860102", "type": "openvas", "title": "Fedora Update for Django FEDORA-2008-4267", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2008-4267\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 9\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00600.html\");\n script_id(860102);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:47:15 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-4267\");\n script_cve_id(\"CVE-2008-2302\");\n script_name( \"Fedora Update for Django FEDORA-2008-4267\");\n\n script_summary(\"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.2~1.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "description": "Check for the Version of Django", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860098", "href": "http://plugins.openvas.org/nasl.php?oid=860098", "type": "openvas", "title": "Fedora Update for Django FEDORA-2008-4248", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2008-4248\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 8\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00580.html\");\n script_id(860098);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 16:47:15 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-4248\");\n script_cve_id(\"CVE-2008-2302\");\n script_name( \"Fedora Update for Django FEDORA-2008-4248\");\n\n script_summary(\"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.2~1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "description": "Check for the Version of Django", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860395", "href": "http://plugins.openvas.org/nasl.php?oid=860395", "type": "openvas", "title": "Fedora Update for Django FEDORA-2008-7672", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2008-7672\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 9\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html\");\n script_id(860395);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:03:12 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-7672\");\n script_cve_id(\"CVE-2008-2302\");\n script_name( \"Fedora Update for Django FEDORA-2008-7672\");\n\n script_summary(\"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.3~1.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2302"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-28T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:61058", "href": "http://plugins.openvas.org/nasl.php?oid=61058", "type": "openvas", "title": "FreeBSD Ports: py23-django, py24-django, py25-django", "sourceData": "#\n#VID f49ba347-2190-11dd-907c-001c2514716c\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n py23-django\n py24-django\n py25-django\n py23-django-devel\n py24-django-devel\n py25-django-devel\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.djangoproject.com/weblog/2008/may/14/security/\nhttp://www.vuxml.org/freebsd/f49ba347-2190-11dd-907c-001c2514716c.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(61058);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_version(\"$Revision: 4164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-28 09:03:16 +0200 (Wed, 28 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2008-2302\");\n script_name(\"FreeBSD Ports: py23-django, py24-django, py25-django\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"py23-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.96.2\")<0) {\n txt += 'Package py23-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py24-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.96.2\")<0) {\n txt += 'Package py24-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py25-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.96.2\")<0) {\n txt += 'Package py25-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py23-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20080511\")<0) {\n txt += 'Package py23-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py24-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20080511\")<0) {\n txt += 'Package py24-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py25-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20080511\")<0) {\n txt += 'Package py25-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5712"], "description": "Check for the Version of Django", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:861339", "href": "http://plugins.openvas.org/nasl.php?oid=861339", "type": "openvas", "title": "Fedora Update for Django FEDORA-2007-3157", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2007-3157\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 7\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00257.html\");\n script_id(861339);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 16:23:18 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2007-3157\");\n script_cve_id(\"CVE-2007-5712\");\n script_name( \"Fedora Update for Django FEDORA-2007-3157\");\n\n script_summary(\"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.1~1.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.1~1.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"Django-docs\", rpm:\"Django-docs~0.96.1~1.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:57:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5712"], "description": "Check for the Version of Django", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:861478", "href": "http://plugins.openvas.org/nasl.php?oid=861478", "type": "openvas", "title": "Fedora Update for Django FEDORA-2007-2788", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2007-2788\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 8\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00243.html\");\n script_id(861478);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 16:01:32 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2007-2788\");\n script_cve_id(\"CVE-2007-5712\");\n script_name( \"Fedora Update for Django FEDORA-2007-2788\");\n\n script_summary(\"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.1~1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~0.96.1~1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"Django-docs\", rpm:\"Django-docs~0.96.1~1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5712", "CVE-2008-3909"], "description": "The remote host is missing an update to python-django\nannounced via advisory DSA 1640-1.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:61642", "href": "http://plugins.openvas.org/nasl.php?oid=61642", "type": "openvas", "title": "Debian Security Advisory DSA 1640-1 (python-django)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1640_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1640-1 (python-django)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Simon Willison discovered that in Django, a Python web framework, the\nfeature to retain HTTP POST data during user reauthentication allowed\na remote attacker to perform unauthorized modification of data through\ncross site request forgery. The is possible regardless of the Django\nplugin to prevent cross site request forgery being enabled. The Common\nVulnerabilities and Exposures project identifies this issue as\nCVE-2008-3909.\n\nIn this update the affected feature is disabled; this is in accordance\nwith upstream's preferred solution for this situation.\n\nThis update takes the opportunity to also include a relatively minor\ndenial of service attack in the internationalisaton framework, known\nas CVE-2007-5712.\n\nFor the stable distribution (etch), these problems have been fixed in\nversion 0.95.1-1etch2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.0-1.\n\nWe recommend that you upgrade your python-django package.\";\ntag_summary = \"The remote host is missing an update to python-django\nannounced via advisory DSA 1640-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201640-1\";\n\n\nif(description)\n{\n script_id(61642);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 17:42:31 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2008-3909\", \"CVE-2007-5712\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1640-1 (python-django)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"python-django\", ver:\"0.95.1-1etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:26", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2302"], "description": "\nDjango project reports:\n\nThe Django administration application will, when accessed by\n\t a user who is not sufficiently authenticated, display a login\n\t form and ask the user to provide the necessary credentials\n\t before displaying the requested page. This form will be submitted\n\t to the URL the user attempted to access, by supplying the current\n\t request path as the value of the form's \"action\" attribute.\nThe value of the request path was not being escaped, creating an\n\t opportunity for a cross-site scripting (XSS) attack by leading a\n\t user to a URL which contained URL-encoded HTML and/or JavaScript\n\t in the request path.\n\n", "edition": 4, "modified": "2010-05-12T00:00:00", "published": "2008-05-10T00:00:00", "id": "F49BA347-2190-11DD-907C-001C2514716C", "href": "https://vuxml.freebsd.org/freebsd/f49ba347-2190-11dd-907c-001c2514716c.html", "title": "django -- XSS vulnerability", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-5712"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://sourceforge.net/forum/forum.php?forum_id=749199\n[Secunia Advisory ID:27435](https://secuniaresearch.flexerasoftware.com/advisories/27435/)\n[Secunia Advisory ID:27597](https://secuniaresearch.flexerasoftware.com/advisories/27597/)\nOther Advisory URL: http://www.djangoproject.com/weblog/2007/oct/26/security-fix/\nOther Advisory URL: https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00243.html\nOther Advisory URL: https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00257.html\nKeyword: i18n\nISS X-Force ID: 38143\nFrSIRT Advisory: ADV-2007-3660\nFrSIRT Advisory: ADV-2007-3661\n[CVE-2007-5712](https://vulners.com/cve/CVE-2007-5712)\nBugtraq ID: 26227\n", "edition": 1, "modified": "2007-10-26T00:00:00", "published": "2007-10-26T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38905", "id": "OSVDB:38905", "title": "Django Internationalization Framework USE_I18N Option Multiple HTTP Request Remote DoS", "type": "osvdb", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:22:48", "bulletinFamily": "unix", "cvelist": ["CVE-2007-5712", "CVE-2008-3909"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1640-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nSeptember 20, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : python-django\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-3909 CVE-2007-5712\nDebian Bug : 497765 448838\n\nSimon Willison discovered that in Django, a Python web framework, the\nfeature to retain HTTP POST data during user reauthentication allowed\na remote attacker to perform unauthorized modification of data through\ncross site request forgery. The is possible regardless of the Django\nplugin to prevent cross site request forgery being enabled. The Common\nVulnerabilities and Exposures project identifies this issue as\nCVE-2008-3909.\n\nIn this update the affected feature is disabled; this is in accordance\nwith upstream&#x27;s preferred solution for this situation.\n\nThis update takes the opportunity to also include a relatively minor\ndenial of service attack in the internationalisaton framework, known\nas CVE-2007-5712.\n\nFor the stable distribution (etch), these problems have been fixed in\nversion 0.95.1-1etch2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.0-1.\n\nWe recommend that you upgrade your python-django package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2.dsc\n Size/MD5 checksum: 940 62d31adf6a658ab089df66916148d2d8\n http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1.orig.tar.gz\n Size/MD5 checksum: 1297839 07f09d8429916481e09e84fd01e97355\n http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2.diff.gz\n Size/MD5 checksum: 8069 6e5e17af4148911137b1a8aebaa8096c\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2_all.deb\n Size/MD5 checksum: 1025742 93417b16a120eada12b807b8372cc858\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 2, "modified": "2008-09-20T13:08:28", "published": "2008-09-20T13:08:28", "id": "DEBIAN:DSA-1640-1:7E9F5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00229.html", "title": "[SECURITY] [DSA 1640-1] New python-django packages fix cross site request forgery", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}]}