oss-sec mailing list archives
CVE Assignment: django
From: Josh Bressers <bressers () redhat com>
Date: Thu, 9 Sep 2010 09:39:51 -0400 (EDT)
This was just pointed out to me: http://www.djangoproject.com/weblog/2010/sep/08/security-release/ """ The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks. """ Please use CVE-2010-3082 Thanks. -- JB
Current thread:
- CVE Assignment: django Josh Bressers (Sep 09)