CVE-2012-4520
python-django - several vulnerabilities
7.5
HIGH
CVSS 3.1
EPSS 3.9%
Description
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
How to fix CVE-2012-4520
To remediate CVE-2012-4520, upgrade the affected package to a fixed version below.
- Debian/python-django—upgrade to 1.4.2-1 or later
- —upgrade to 1.2.3-3+squeeze5 or later
- —upgrade to 1.3.4 or later
- —upgrade to 9305c0e12d43c4df999c3301a1f0c742264a657e or later
Is CVE-2012-4520 being exploited?
Low — EPSS is 3.9%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.4.2-1
- from 0, < 1.2.3-3+squeeze5
- >= 1.3, < 1.3.4
- from 0, < 9305c0e12d43c4df999c3301a1f0c742264a657e, < b45c377f8f488955e0c7069cad3f3dd21910b071, < 92d3430f12171f16f566c9050c40feefb830a4a3 | >= 1.3, < 1.3.4, >= 1.4, < 1.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |