Bugzilla – Bug 936357
VUL-0: CVE-2015-5081: python-django,python-Django: Re: CVE Request: Django CMS
Last modified: 2017-08-24 21:51:50 UTC
CVE-2015-5081 From: Matthew Wilkes <matthew () matthewwilkes co uk> Date: Sun, 28 Jun 2015 00:23:10 +0100 Hi, Can a CVE be assigned to this issue, please? http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/ It's a CSRF issue around publishing of draft changes in Django CMS. Versions affected are Django CMS <3.0.14 and <3.1.1. I haven't verified its presence in Django CMS <3.0, I'm afraid. The relevant commit is: https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a The vendor credits with the discovery: * Sylvain Fankhauser of L//P * Matthew Wilkes of The Code Distillery Thanks, let me know if you'd like more information. Matt CVE assignment: http://seclists.org/oss-sec/2015/q2/814 a CSRF issue around publishing of draft changes http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/ https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a Use CVE-2015-5081 for the CSRF issue. The cms.changelist.js and cms.toolbar.js changes include a comment "send post request to prevent xss attacks." The "xss" word choice might be a mistake. We are not currently assigning a CVE ID for a separate XSS issue. Sylvain Fankhauser of L//P and Matthew Wilkes of The Code Distillery, who discovered and privately demonstrated to the django CMS core developers an important CSRF vulnerability and contacted us through the documented channels. CVE IDs were not assigned on a per-discoverer basis here because there was no available information suggesting that different persons independently discovered different CSRF problems.
hmm, this is about django cms, not django itself apparently