#VU698 Insecure cookie handling in Django - CVE-2016-7401
Published: September 30, 2016 / Updated: October 5, 2016
Vulnerability identifier: #VU698
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-7401
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Django
Django
Software vendor:
Django Software Foundation
Django Software Foundation
Description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to interraction error between Django's cookie parsing code and Google Analytics. A remote attacker can set arbitrary cookies and bypass CSRF protection, implemented by web application.
Successful exploitation of this vulnerability may allow an attacker to bypass various website security mechanisms, based on cookies.
Remediation
Update to 1.8.15.
https://www.djangoproject.com/m/releases/1.8/Django-1.8.15.tar.gz
Update to 1.9.10.
https://www.djangoproject.com/m/releases/1.9/Django-1.9.10.tar.gz
https://www.djangoproject.com/m/releases/1.8/Django-1.8.15.tar.gz
Update to 1.9.10.
https://www.djangoproject.com/m/releases/1.9/Django-1.9.10.tar.gz