CVE-2012-4520

🗓️ 30 Oct 2012 00:00:00Reported by ubuntu.comType

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values

Reporter	Title	Published	Views	Family All 48
FreeBSD	django -- multiple vulnerabilities	17 Oct 201200:00	–	freebsd
CVE	CVE-2012-4520	18 Nov 201223:00	–	cve
Cvelist	CVE-2012-4520	18 Nov 201223:00	–	cvelist
Debian	[SECURITY] [DSA 2634-1] python-django security update	26 Feb 201323:58	–	debian
Debian CVE	CVE-2012-4520	18 Nov 201223:00	–	debiancve
Tenable Nessus	Debian DSA-2634-1 : python-django - several vulnerabilities	27 Feb 201300:00	–	nessus
Tenable Nessus	Fedora 18 : python-django-1.4.2-1.fc18 (2012-16406)	24 Oct 201200:00	–	nessus
Tenable Nessus	Fedora 16 : Django-1.3.4-1.fc16 (2012-16417)	30 Oct 201200:00	–	nessus
Tenable Nessus	Fedora 17 : Django-1.4.2-1.fc17 (2012-16440)	31 Oct 201200:00	–	nessus
Tenable Nessus	FreeBSD : django -- multiple vulnerabilities (5f326d75-1db9-11e2-bc8f-d0df9acfd7e5)	26 Oct 201200:00	–	nessus

OS	OS Version	Architecture	Package	Package Version	Filename
Ubuntu	10.04	any	python-django	1.1.1-2ubuntu1.6	python-django_1.1.1-2ubuntu1.6_any.deb
Ubuntu	11.10	any	python-django	1.3-2ubuntu1.4	python-django_1.3-2ubuntu1.4_any.deb
Ubuntu	12.04	any	python-django	1.3.1-4ubuntu1.3	python-django_1.3.1-4ubuntu1.3_any.deb
Ubuntu	12.10	any	python-django	1.4.1-2ubuntu0.1	python-django_1.4.1-2ubuntu0.1_any.deb

Source	Link
openwall	www.openwall.com/lists/oss-security/2012/10/30/4
openwall	www.openwall.com/lists/oss-security/2012/10/29/17
djangoproject	www.djangoproject.com/weblog/2012/oct/17/security/
ubuntu	www.ubuntu.com/security/notices/USN-1632-1
ubuntu	www.ubuntu.com/security/notices/USN-1632-2
cve	www.cve.org/CVERecord
ubuntu	www.ubuntu.com/security/notices/USN-1757-1

26 May 2025 12:47Current

5.9Medium risk

Vulners AI Score5.9

CVSS 26.4

EPSS0.03893