CVE-2011-0696: Cross-site request forgery in Django
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85363%
CWE
Published
7/23/2018
Updated
9/16/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Django | pip | >= 1.1, < 1.1.4 | 1.1.4 |
Django | pip | >= 1.2, < 1.2.5 | 1.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows removal of the 'if request.is_ajax(): return None' check in process_view, which previously exempted AJAX requests from CSRF validation. This exemption was unsafe as X-Requested-With headers could be forged. The CVE description explicitly cites this AJAX exemption as the vulnerability vector. The test case 'test_ajax_exemption' was also modified to reflect the security fix, further confirming this was the vulnerable code path.