Miggo Logo

CVE-2011-0696: Cross-site request forgery in Django

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.85363%
Published
7/23/2018
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 1.1, < 1.1.41.1.4
Djangopip>= 1.2, < 1.2.51.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows removal of the 'if request.is_ajax(): return None' check in process_view, which previously exempted AJAX requests from CSRF validation. This exemption was unsafe as X-Requested-With headers could be forged. The CVE description explicitly cites this AJAX exemption as the vulnerability vector. The test case 'test_ajax_exemption' was also modified to reflect the security fix, further confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*j*n*o *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.* *o*s not prop*rly v*li**t* *TTP r*qu*sts t**t *ont*in *n X-R*qu*st**-Wit* *****r, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to *on*u*t *ross-sit* r*qu*st *or**ry (*SR*) *tt**ks vi* *or*** *J*X r*qu*st

Reasoning

T** *ommit *i** s*ows r*mov*l o* t** 'i* r*qu*st.is_*j*x(): r*turn Non*' ****k in pro**ss_vi*w, w*i** pr*viously *x*mpt** *J*X r*qu*sts *rom *SR* v*li**tion. T*is *x*mption w*s uns*** *s X-R*qu*st**-Wit* *****rs *oul* ** *or***. T** *V* **s*ription *