Vulnerability Details CVE-2012-4520
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.039
EPSS Ranking 87.9%
CVSS Severity
CVSS v2 Score 6.4
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
- http://secunia.com/advisories/51033
- http://secunia.com/advisories/51314
- http://securitytracker.com/id?1027708
- http://ubuntu.com/usn/usn-1632-1
- http://ubuntu.com/usn/usn-1757-1
- http://www.debian.org/security/2013/dsa-2634
- http://www.openwall.com/lists/oss-security/2012/10/30/4
- http://www.osvdb.org/86493
- https://bugzilla.redhat.com/show_bug.cgi?id=865164
- https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
- https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
- https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
- https://www.djangoproject.com/weblog/2012/oct/17/security/
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
- http://secunia.com/advisories/51033
- http://secunia.com/advisories/51314
- http://securitytracker.com/id?1027708
- http://ubuntu.com/usn/usn-1632-1
- http://ubuntu.com/usn/usn-1757-1
- http://www.debian.org/security/2013/dsa-2634
- http://www.openwall.com/lists/oss-security/2012/10/30/4
- http://www.osvdb.org/86493
- https://bugzilla.redhat.com/show_bug.cgi?id=865164
- https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
- https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
- https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
- https://www.djangoproject.com/weblog/2012/oct/17/security/
Products affected by CVE-2012-4520
-
cpe:2.3:a:djangoproject:django:1.3
-
cpe:2.3:a:djangoproject:django:1.3.1
-
cpe:2.3:a:djangoproject:django:1.3.2
-
cpe:2.3:a:djangoproject:django:1.3.3
-
cpe:2.3:a:djangoproject:django:1.4
-
cpe:2.3:a:djangoproject:django:1.4.1