Bug 936357 - (CVE-2015-5081) VUL-0: CVE-2015-5081: python-django,python-Django: Re: CVE Request: Django CMS
(CVE-2015-5081)
VUL-0: CVE-2015-5081: python-django,python-Django: Re: CVE Request: Django CMS
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/118073/
CVSSv3:RedHat:CVE-2015-5081:4.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-29 06:41 UTC by Marcus Meissner
Modified: 2017-08-24 21:51 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-06-29 06:41:03 UTC
CVE-2015-5081

 From: Matthew Wilkes <matthew () matthewwilkes co uk>
Date: Sun, 28 Jun 2015 00:23:10 +0100

Hi,

Can a CVE be assigned to this issue, please?

    http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/

It's a CSRF issue around publishing of draft changes in Django CMS. Versions affected are Django CMS <3.0.14 and <3.1.1. I haven't verified its presence in Django CMS <3.0, I'm afraid.


The relevant commit is:


https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a

The vendor credits with the discovery:
 * Sylvain Fankhauser of L//P
 * Matthew Wilkes of The Code Distillery

Thanks, let me know if you'd like more information.

Matt

CVE assignment:
http://seclists.org/oss-sec/2015/q2/814


    a CSRF issue around publishing of draft changes

    http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/
    https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a


Use CVE-2015-5081 for the CSRF issue.

The cms.changelist.js and cms.toolbar.js changes include a comment
"send post request to prevent xss attacks." The "xss" word choice
might be a mistake. We are not currently assigning a CVE ID for a
separate XSS issue.

    Sylvain Fankhauser of L//P and Matthew Wilkes of The Code Distillery,
    who discovered and privately demonstrated to the django CMS core
    developers an important CSRF vulnerability and contacted us through
    the documented channels.


CVE IDs were not assigned on a per-discoverer basis here because there
was no available information suggesting that different persons
independently discovered different CSRF problems.
Comment 1 Marcus Meissner 2015-06-29 06:42:30 UTC
hmm, this is about django cms, not django itself apparently