FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

django -- CSRF protection bypass on a site with Google Analytics

Affected packages
py-django19 < 1.9.10
py-django18 < 1.8.15
py-django < 1.8.15

Details

VuXML ID bb022643-84fb-11e6-a4a1-60a44ce6887b
Discovery 2016-09-26
Entry 2016-09-27

Django Software Foundation reports:

An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

References

CVE Name CVE-2016-7401
URL https://www.djangoproject.com/weblog/2016/sep/26/security-releases/