Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
2015-01-16T16:59:18.657
2025-04-12T10:46:40.837
Deferred
CVSSv2: 5.0 (MEDIUM)
AV:N/AC:L/Au:N/C:N/I:P/A:N
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | djangoproject | django | ≤ 1.4.17 | Yes |
| Application | djangoproject | django | 1.6 | Yes |
| Application | djangoproject | django | 1.6.1 | Yes |
| Application | djangoproject | django | 1.6.2 | Yes |
| Application | djangoproject | django | 1.6.3 | Yes |
| Application | djangoproject | django | 1.6.4 | Yes |
| Application | djangoproject | django | 1.6.5 | Yes |
| Application | djangoproject | django | 1.6.6 | Yes |
| Application | djangoproject | django | 1.6.7 | Yes |
| Application | djangoproject | django | 1.6.8 | Yes |
| Application | djangoproject | django | 1.6.9 | Yes |
| Application | djangoproject | django | 1.7 | Yes |
| Application | djangoproject | django | 1.7.1 | Yes |
| Application | djangoproject | django | 1.7.2 | Yes |