A security issue affects the following Ubuntu releases:
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 10.10:
python-django 1.2.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that Django did not properly sanitize the cookie value
when applying CSRF protections resulting in a cross-site scripting (XSS)
vulnerability. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a
remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain.
{"id": "SECURITYVULNS:DOC:24952", "bulletinFamily": "software", "title": "[USN-1004-1] Django vulnerability", "description": "===========================================================\r\nUbuntu Security Notice USN-1004-1 October 13, 2010\r\npython-django vulnerability\r\nCVE-2010-3082\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 10.10\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 10.10:\r\n python-django 1.2.3-1ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nDetails follow:\r\n\r\nIt was discovered that Django did not properly sanitize the cookie value\r\nwhen applying CSRF protections resulting in a cross-site scripting (XSS)\r\nvulnerability. With cross-site scripting vulnerabilities, if a user were\r\ntricked into viewing server output during a crafted server request, a\r\nremote attacker could exploit this to modify the contents, or steal\r\nconfidential data, within the same domain.\r\n\r\n\r\nUpdated packages for Ubuntu 10.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.1.debian.tar.gz\r\n Size/MD5: 18499 2e8c4c95d6d40cce184131f1001a01a2\r\n http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.1.dsc\r\n Size/MD5: 2249 a5cb861587d952430ae73da49a9680cf\r\n http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3.orig.tar.gz\r\n Size/MD5: 6306760 10bfb5831bcb4d3b1e6298d0e41d6603\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.2.3-1ubuntu0.1_all.deb\r\n Size/MD5: 1905856 5f3ed62933c8f4970101ead2d57d7d4f\r\n http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.1_all.deb\r\n Size/MD5: 4212250 8c85dcb4ab4d9701cd546e2e119ae4e3\r\n\r\n\r\n", "published": "2010-10-19T00:00:00", "modified": "2010-10-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24952", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-3082"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:37", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "4556838ca670121a5bfe409e65871466"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "886b61ac4939e26d35566addedd2c536"}, {"key": "href", "hash": "819e3b8b4e0b2b9f1e16f023a00030d6"}, {"key": "modified", "hash": "0ff56c663a84095c869506908e5f14b0"}, {"key": "published", "hash": "0ff56c663a84095c869506908e5f14b0"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "d18cdea0fe8dd80ab7074baa44f2289a"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "308fbfc0c3f5bdfdda9c718f383cf397465b5765e2047e7b628763240d8154fb", "viewCount": 4, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-08-31T11:10:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3082"]}, {"type": "openvas", "idList": ["OPENVAS:862686", "OPENVAS:68103", "OPENVAS:862406", "OPENVAS:840536", "OPENVAS:1361412562310862404", "OPENVAS:136141256231068103", "OPENVAS:1361412562310840536", "OPENVAS:862404", "OPENVAS:1361412562310862686", "OPENVAS:1361412562310862406"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11203"]}, {"type": "nessus", "idList": ["FEDORA_2010-14430.NASL", "FREEBSD_PKG_3FF95DD3C29111DFB0DC00215C6A37BB.NASL", "FEDORA_2010-14398.NASL", "UBUNTU_USN-1004-1.NASL", "FEDORA_2010-14745.NASL", "FEDORA_2011-0096.NASL"]}, {"type": "freebsd", "idList": ["3FF95DD3-C291-11DF-B0DC-00215C6A37BB"]}, {"type": "ubuntu", "idList": ["USN-1004-1"]}], "modified": "2018-08-31T11:10:37"}, "vulnersScore": 6.1}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-05-29T18:10:29", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", "modified": "2017-08-17T01:32:00", "id": "CVE-2010-3082", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082", "published": "2010-09-14T19:00:00", "title": "CVE-2010-3082", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2018-01-19T15:05:13", "bulletinFamily": "scanner", "description": "Check for the Version of Django", "modified": "2018-01-19T00:00:00", "published": "2010-09-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862406", "id": "OPENVAS:1361412562310862406", "type": "openvas", "title": "Fedora Update for Django FEDORA-2010-14398", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2010-14398\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 13\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047553.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862406\");\n script_version(\"$Revision: 8469 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-19 08:58:21 +0100 (Fri, 19 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-14 15:35:55 +0200 (Tue, 14 Sep 2010)\");\n script_xref(name: \"FEDORA\", value: \"2010-14398\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Fedora Update for Django FEDORA-2010-14398\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~1.2.2~1.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-02T10:54:40", "bulletinFamily": "scanner", "description": "Check for the Version of Django", "modified": "2017-12-22T00:00:00", "published": "2010-12-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862686", "id": "OPENVAS:1361412562310862686", "title": "Fedora Update for Django FEDORA-2010-14745", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2010-14745\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 14\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048237.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862686\");\n script_version(\"$Revision: 8228 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-22 08:29:52 +0100 (Fri, 22 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-02 08:39:14 +0100 (Thu, 02 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-14745\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Fedora Update for Django FEDORA-2010-14745\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~1.2.3~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-21T11:32:22", "bulletinFamily": "scanner", "description": "Check for the Version of Django", "modified": "2017-12-20T00:00:00", "published": "2010-09-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=862404", "id": "OPENVAS:862404", "title": "Fedora Update for Django FEDORA-2010-14430", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2010-14430\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 12\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047517.html\");\n script_id(862404);\n script_version(\"$Revision: 8186 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 07:30:34 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-14 15:35:55 +0200 (Tue, 14 Sep 2010)\");\n script_xref(name: \"FEDORA\", value: \"2010-14430\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Fedora Update for Django FEDORA-2010-14430\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~1.2.2~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-14T11:48:51", "bulletinFamily": "scanner", "description": "Check for the Version of Django", "modified": "2017-12-13T00:00:00", "published": "2010-12-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=862686", "id": "OPENVAS:862686", "title": "Fedora Update for Django FEDORA-2010-14745", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2010-14745\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 14\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048237.html\");\n script_id(862686);\n script_version(\"$Revision: 8092 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-13 07:31:16 +0100 (Wed, 13 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-02 08:39:14 +0100 (Thu, 02 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2010-14745\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Fedora Update for Django FEDORA-2010-14745\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~1.2.3~1.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-21T11:33:15", "bulletinFamily": "scanner", "description": "Check for the Version of Django", "modified": "2017-12-21T00:00:00", "published": "2010-09-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=862406", "id": "OPENVAS:862406", "title": "Fedora Update for Django FEDORA-2010-14398", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2010-14398\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 13\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047553.html\");\n script_id(862406);\n script_version(\"$Revision: 8205 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 07:30:37 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-14 15:35:55 +0200 (Tue, 14 Sep 2010)\");\n script_xref(name: \"FEDORA\", value: \"2010-14398\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Fedora Update for Django FEDORA-2010-14398\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~1.2.2~1.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-02-10T00:00:00", "published": "2010-10-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=68103", "id": "OPENVAS:68103", "title": "django -- cross-site scripting vulnerability", "type": "openvas", "sourceData": "#\n#VID 3ff95dd3-c291-11df-b0dc-00215c6a37bb\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 3ff95dd3-c291-11df-b0dc-00215c6a37bb\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n py23-django\n py24-django\n py25-django\n py26-django\n py30-django\n py31-django\n py23-django-devel\n py24-django-devel\n py25-django-devel\n py26-django-devel\n py30-django-devel\n py31-django-devel\n\nCVE-2010-3082\nCross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2\nallows remote attackers to inject arbitrary web script or HTML via a\ncsrfmiddlewaretoken (aka csrf_token) cookie.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://xforce.iss.net/xforce/xfdb/61729\nhttp://www.vuxml.org/freebsd/3ff95dd3-c291-11df-b0dc-00215c6a37bb.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(68103);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-10 19:35:00 +0200 (Sun, 10 Oct 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n script_name(\"django -- cross-site scripting vulnerability\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"py23-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py23-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py24-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py24-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py25-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py25-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py26-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py26-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py30-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py30-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py31-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py31-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py23-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py23-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py24-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py24-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py25-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py25-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py26-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py26-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py30-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py30-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py31-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py31-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-04T11:17:31", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1004-1", "modified": "2017-12-01T00:00:00", "published": "2010-11-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840536", "id": "OPENVAS:840536", "title": "Ubuntu Update for python-django vulnerability USN-1004-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1004_1.nasl 7965 2017-12-01 07:38:25Z santu $\n#\n# Ubuntu Update for python-django vulnerability USN-1004-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that Django did not properly sanitize the cookie value\n when applying CSRF protections resulting in a cross-site scripting (XSS)\n vulnerability. With cross-site scripting vulnerabilities, if a user were\n tricked into viewing server output during a crafted server request, a\n remote attacker could exploit this to modify the contents, or steal\n confidential data, within the same domain.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1004-1\";\ntag_affected = \"python-django vulnerability on Ubuntu 10.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1004-1/\");\n script_id(840536);\n script_version(\"$Revision: 7965 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:38:25 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-23 15:30:07 +0100 (Tue, 23 Nov 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"USN\", value: \"1004-1\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Ubuntu Update for python-django vulnerability USN-1004-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.2.3-1ubuntu0.1\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.3-1ubuntu0.1\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-18T11:04:31", "bulletinFamily": "scanner", "description": "Check for the Version of Django", "modified": "2018-01-17T00:00:00", "published": "2010-09-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862404", "id": "OPENVAS:1361412562310862404", "type": "openvas", "title": "Fedora Update for Django FEDORA-2010-14430", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for Django FEDORA-2010-14430\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"Django on Fedora 12\";\ntag_insight = \"Django is a high-level Python Web framework that encourages rapid\n development and a clean, pragmatic design. It focuses on automating as\n much as possible and adhering to the DRY (Don't Repeat Yourself)\n principle.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047517.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862404\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-14 15:35:55 +0200 (Tue, 14 Sep 2010)\");\n script_xref(name: \"FEDORA\", value: \"2010-14430\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Fedora Update for Django FEDORA-2010-14430\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Django\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"Django\", rpm:\"Django~1.2.2~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-08T12:54:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-01-08T00:00:00", "published": "2010-10-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231068103", "id": "OPENVAS:136141256231068103", "title": "django -- cross-site scripting vulnerability", "type": "openvas", "sourceData": "#\n#VID 3ff95dd3-c291-11df-b0dc-00215c6a37bb\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 3ff95dd3-c291-11df-b0dc-00215c6a37bb\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n py23-django\n py24-django\n py25-django\n py26-django\n py30-django\n py31-django\n py23-django-devel\n py24-django-devel\n py25-django-devel\n py26-django-devel\n py30-django-devel\n py31-django-devel\n\nCVE-2010-3082\nCross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2\nallows remote attackers to inject arbitrary web script or HTML via a\ncsrfmiddlewaretoken (aka csrf_token) cookie.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://xforce.iss.net/xforce/xfdb/61729\nhttp://www.vuxml.org/freebsd/3ff95dd3-c291-11df-b0dc-00215c6a37bb.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.68103\");\n script_version(\"$Revision: 8314 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-08 09:01:01 +0100 (Mon, 08 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-10 19:35:00 +0200 (Sun, 10 Oct 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n script_name(\"django -- cross-site scripting vulnerability\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"py23-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py23-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py24-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py24-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py25-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py25-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py26-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py26-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py30-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py30-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py31-django\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.2\")>0 && revcomp(a:bver, b:\"1.2.2\")<0) {\n txt += 'Package py31-django version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py23-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py23-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py24-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py24-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py25-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py25-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py26-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py26-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py30-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py30-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"py31-django-devel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"13698,1\")<0) {\n txt += 'Package py31-django-devel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-18T11:04:30", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1004-1", "modified": "2018-01-17T00:00:00", "published": "2010-11-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840536", "id": "OPENVAS:1361412562310840536", "type": "openvas", "title": "Ubuntu Update for python-django vulnerability USN-1004-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1004_1.nasl 8440 2018-01-17 07:58:46Z teissa $\n#\n# Ubuntu Update for python-django vulnerability USN-1004-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that Django did not properly sanitize the cookie value\n when applying CSRF protections resulting in a cross-site scripting (XSS)\n vulnerability. With cross-site scripting vulnerabilities, if a user were\n tricked into viewing server output during a crafted server request, a\n remote attacker could exploit this to modify the contents, or steal\n confidential data, within the same domain.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1004-1\";\ntag_affected = \"python-django vulnerability on Ubuntu 10.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1004-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840536\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-23 15:30:07 +0100 (Tue, 23 Nov 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"USN\", value: \"1004-1\");\n script_cve_id(\"CVE-2010-3082\");\n script_name(\"Ubuntu Update for python-django vulnerability USN-1004-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.2.3-1ubuntu0.1\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.3-1ubuntu0.1\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2020-03-17T23:21:55", "bulletinFamily": "scanner", "description": "' Today the Django team has released Django 1.2.3, which remedies\nseveral issues with the recent 1.2.2 package.\n\nThis package corrects the following problems :\n\n - The patch applied for the security issue covered in\n Django 1.2.2 caused issues with non-ASCII responses\n using CSRF tokens. This has been remedied.\n\n - The patch also caused issues with some forms, most\n notably the user-editing forms in the Django\n administrative interface. This has been remedied.\n\n - The packaging manifest did not contain the full list\n of required files. This has been remedied. ", "modified": "2020-03-02T00:00:00", "id": "FEDORA_2010-14745.NASL", "href": "https://www.tenable.com/plugins/nessus/49663", "published": "2010-09-24T00:00:00", "title": "Fedora 14 : Django-1.2.3-1.fc14 (2010-14745)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-14745.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49663);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/08/02 13:32:31\");\n\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n script_xref(name:\"FEDORA\", value:\"2010-14745\");\n\n script_name(english:\"Fedora 14 : Django-1.2.3-1.fc14 (2010-14745)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"' Today the Django team has released Django 1.2.3, which remedies\nseveral issues with the recent 1.2.2 package.\n\nThis package corrects the following problems :\n\n - The patch applied for the security issue covered in\n Django 1.2.2 caused issues with non-ASCII responses\n using CSRF tokens. This has been remedied.\n\n - The patch also caused issues with some forms, most\n notably the user-editing forms in the Django\n administrative interface. This has been remedied.\n\n - The packaging manifest did not contain the full list\n of required files. This has been remedied. '\n\nSee: http://www.djangoproject.com/weblog/2010/sep/10/123/ See\nhttp://www.djangoproject.com/weblog/2010/sep/08/security-release/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/sep/08/security-release/\"\n );\n # http://www.djangoproject.com/weblog/2010/sep/10/123/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/sep/10/123/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=632239\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-September/048237.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4f01dc97\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"Django-1.2.3-1.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-17T23:21:55", "bulletinFamily": "scanner", "description": "See http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-02T00:00:00", "id": "FEDORA_2010-14430.NASL", "href": "https://www.tenable.com/plugins/nessus/49199", "published": "2010-09-12T00:00:00", "title": "Fedora 12 : Django-1.2.2-1.fc12 (2010-14430)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-14430.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49199);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/08/02 13:32:31\");\n\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n script_xref(name:\"FEDORA\", value:\"2010-14430\");\n\n script_name(english:\"Fedora 12 : Django-1.2.2-1.fc12 (2010-14430)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"See http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/sep/08/security-release/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=632239\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-September/047517.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0452791e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^12([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 12.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC12\", reference:\"Django-1.2.2-1.fc12\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-17T23:21:55", "bulletinFamily": "scanner", "description": "See http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-02T00:00:00", "id": "FEDORA_2010-14398.NASL", "href": "https://www.tenable.com/plugins/nessus/49198", "published": "2010-09-12T00:00:00", "title": "Fedora 13 : Django-1.2.2-1.fc13 (2010-14398)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-14398.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49198);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/08/02 13:32:31\");\n\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n script_xref(name:\"FEDORA\", value:\"2010-14398\");\n\n script_name(english:\"Fedora 13 : Django-1.2.2-1.fc13 (2010-14398)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"See http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/sep/08/security-release/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=632239\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-September/047553.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e3de3ab8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"Django-1.2.2-1.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-18T03:17:36", "bulletinFamily": "scanner", "description": "It was discovered that Django did not properly sanitize the cookie\nvalue when applying CSRF protections resulting in a cross-site\nscripting (XSS) vulnerability. With cross-site scripting\nvulnerabilities, if a user were tricked into viewing server output\nduring a crafted server request, a remote attacker could exploit this\nto modify the contents, or steal confidential data, within the same\ndomain.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-02T00:00:00", "id": "UBUNTU_USN-1004-1.NASL", "href": "https://www.tenable.com/plugins/nessus/49995", "published": "2010-10-15T00:00:00", "title": "Ubuntu 10.10 : python-django vulnerability (USN-1004-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1004-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49995);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/09/19 12:54:26\");\n\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n script_xref(name:\"USN\", value:\"1004-1\");\n\n script_name(english:\"Ubuntu 10.10 : python-django vulnerability (USN-1004-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Django did not properly sanitize the cookie\nvalue when applying CSRF protections resulting in a cross-site\nscripting (XSS) vulnerability. With cross-site scripting\nvulnerabilities, if a user were tricked into viewing server output\nduring a crafted server request, a remote attacker could exploit this\nto modify the contents, or steal confidential data, within the same\ndomain.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1004-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django and / or python-django-doc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-django-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.10\", pkgname:\"python-django\", pkgver:\"1.2.3-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"python-django-doc\", pkgver:\"1.2.3-1ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django / python-django-doc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-18T00:08:22", "bulletinFamily": "scanner", "description": "Django project reports :\n\nThe provided template tag for inserting the CSRF token into forms --\n{% csrf_token %} -- explicitly trusts the cookie value, and displays\nit as-is. Thus, an attacker who is able to tamper with the value of\nthe CSRF cookie can cause arbitrary content to be inserted, unescaped,\ninto the outgoing HTML of the form, enabling cross-site scripting\n(XSS) attacks.", "modified": "2020-03-02T00:00:00", "id": "FREEBSD_PKG_3FF95DD3C29111DFB0DC00215C6A37BB.NASL", "href": "https://www.tenable.com/plugins/nessus/49273", "published": "2010-09-17T00:00:00", "title": "FreeBSD : django -- XSS vulnerability (3ff95dd3-c291-11df-b0dc-00215c6a37bb)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49273);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2010-3082\");\n script_bugtraq_id(43116);\n\n script_name(english:\"FreeBSD : django -- XSS vulnerability (3ff95dd3-c291-11df-b0dc-00215c6a37bb)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Django project reports :\n\nThe provided template tag for inserting the CSRF token into forms --\n{% csrf_token %} -- explicitly trusts the cookie value, and displays\nit as-is. Thus, an attacker who is able to tamper with the value of\nthe CSRF cookie can cause arbitrary content to be inserted, unescaped,\ninto the outgoing HTML of the form, enabling cross-site scripting\n(XSS) attacks.\"\n );\n # http://xforce.iss.net/xforce/xfdb/61729\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b627dbc2\"\n );\n # https://vuxml.freebsd.org/freebsd/3ff95dd3-c291-11df-b0dc-00215c6a37bb.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a56a840d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py23-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py23-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py24-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py24-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py25-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py25-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py26-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py26-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py30-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py30-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py31-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py31-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py23-django>1.2<1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py24-django>1.2<1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py25-django>1.2<1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py26-django>1.2<1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py30-django>1.2<1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py31-django>1.2<1.2.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py23-django-devel<13698,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py24-django-devel<13698,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py25-django-devel<13698,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py26-django-devel<13698,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py30-django-devel<13698,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py31-django-devel<13698,1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-17T23:22:03", "bulletinFamily": "scanner", "description": " - Mon Jan 3 2011 Steve ", "modified": "2020-03-02T00:00:00", "id": "FEDORA_2011-0096.NASL", "href": "https://www.tenable.com/plugins/nessus/51512", "published": "2011-01-14T00:00:00", "title": "Fedora 13 : Django-1.2.4-1.fc13 (2011-0096)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-0096.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51512);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/08/02 13:32:33\");\n\n script_cve_id(\"CVE-2010-4534\", \"CVE-2010-4535\");\n script_xref(name:\"FEDORA\", value:\"2011-0096\");\n\n script_name(english:\"Fedora 13 : Django-1.2.4-1.fc13 (2011-0096)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Mon Jan 3 2011 Steve 'Ashcrow' Milner <me at\n stevemilner.org> - 1.2.4-1\n\n - Update for multiple security issues (see\n http://www.djangoproject.com/weblog/2010/dec/22/securi\n ty/)\n\n - Sat Oct 9 2010 Steve 'Ashcrow' Milner <me at\n stevemilner.org> - 1.2.3-3\n\n - Now build docs for F12+\n\n - Added Django-remove-djangodocs-ext.patch\n\n - Sat Oct 9 2010 Steve 'Ashcrow' Milner <me at\n stevemilner.org> - 1.2.3-2\n\n - Moved to dirhtml for documentation generation\n\n - Mon Sep 13 2010 Steve 'Ashcrow' Milner <me at\n stevemilner.org> - 1.2.3-1\n\n - Update for\n http://www.djangoproject.com/weblog/2010/sep/10/123/\n\n - Thu Sep 9 2010 Steve 'Ashcrow' Milner <me at\n stevemilner.org> - 1.2.2-1\n\n - Update for CVE-2010-3082 (see\n http://www.djangoproject.com/weblog/2010/sep/08/securi\n ty-release/)\n\n - Removed Django-hash-compat-13310.patch as it is\n already included in this release\n\n - Wed Jul 21 2010 David Malcolm <dmalcolm at redhat.com>\n - 1.2.1-6\n\n - Rebuilt for\n https://fedoraproject.org/wiki/Features/Python_2.7/Mas\n sRebuild\n\n - Tue Jun 8 2010 Steve 'Ashcrow' Milner <stevem at\n gnulinux.net> - 1.2.1-5\n\n - Added\n http://code.djangoproject.com/changeset/13310?format=d\n iff&new=13310 per BZ#601212\n\n - Thu Jun 3 2010 Steve 'Ashcrow' Milner <stevem at\n gnulinux.net> - 1.2.1-4\n\n - Include egg in >= rhel6\n\n - Thu Jun 3 2010 Michel Salim <salimma at\n fedoraproject.org> - 1.2.1-3\n\n - Use generated %{name}.lang instead of including each\n locale file by hand\n\n - Temporarily make main package provide -doc on Rawhide,\n to fix upgrade path until upstream documentation\n builds with Sphinx 1.0\n\n - Thu May 27 2010 Steve 'Ashcrow' Milner <stevem at\n gnulinux.net> - 1.2.1-2\n\n - Allow for building docs in F13 as it's only F14\n freaking out\n\n - Tue May 25 2010 Steve 'Ashcrow' Milner <stevem at\n gnulinux.net> - 1.2.1-1\n\n - Update for new release.\n\n - Added lang files per BZ#584866.\n\n - Changed perms on\n %{python_sitelib}/django/contrib/admin/media/js/compre\n ss.py\n\n - Lots of explicit files listed in %files in order to\n reduce duplicate file listings\n\n - Docs are not built on F-13 for now\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://code.djangoproject.com/changeset/13310?format=diff&new=13310\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/django/django/commit/adc9458541\"\n );\n # http://www.djangoproject.com/weblog/2010/dec/22/security/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/dec/22/security/\"\n );\n # http://www.djangoproject.com/weblog/2010/sep/08/security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/sep/08/security-release/\"\n );\n # http://www.djangoproject.com/weblog/2010/sep/10/123/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2010/sep/10/123/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=665373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f21a156f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"Django-1.2.4-1.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Django\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:38", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2010-10-19T00:00:00", "published": "2010-10-19T00:00:00", "id": "SECURITYVULNS:VULN:11203", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11203", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "github": [{"lastseen": "2020-03-10T23:26:15", "bulletinFamily": "software", "description": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", "modified": "2019-07-03T21:02:01", "published": "2018-07-23T19:52:42", "id": "GHSA-FXPG-GG9G-76GJ", "href": "https://github.com/advisories/GHSA-fxpg-gg9g-76gj", "title": "Moderate severity vulnerability that affects django", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:05", "bulletinFamily": "unix", "description": "\nDjango project reports:\n\nThe provided template tag for inserting the CSRF\n\t token into forms -- {% csrf_token %} -- explicitly\n\t trusts the cookie value, and displays it as-is.\n\t Thus, an attacker who is able to tamper with the\n\t value of the CSRF cookie can cause arbitrary content\n\t to be inserted, unescaped, into the outgoing HTML of\n\t the form, enabling cross-site scripting (XSS) attacks.\n\n", "modified": "2010-09-13T00:00:00", "published": "2010-09-13T00:00:00", "id": "3FF95DD3-C291-11DF-B0DC-00215C6A37BB", "href": "https://vuxml.freebsd.org/freebsd/3ff95dd3-c291-11df-b0dc-00215c6a37bb.html", "title": "django -- cross-site scripting vulnerability", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2019-05-29T17:22:06", "bulletinFamily": "unix", "description": "It was discovered that Django did not properly sanitize the cookie value when applying CSRF protections resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.", "modified": "2010-10-13T00:00:00", "published": "2010-10-13T00:00:00", "id": "USN-1004-1", "href": "https://usn.ubuntu.com/1004-1/", "title": "Django vulnerability", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
