What is GHSA-5j2h-h5hg-3wf8?

GHSA-5j2h-h5hg-3wf8 is a security advisory published by GitHub Security Advisories with High severity. Cross-site request forgery in Django

Which CVE IDs does GHSA-5j2h-h5hg-3wf8 cover?

GHSA-5j2h-h5hg-3wf8 covers the following CVE IDs: CVE-2011-0696. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-5j2h-h5hg-3wf8?

GHSA-5j2h-h5hg-3wf8 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-5j2h-h5hg-3wf8?

GHSA-5j2h-h5hg-3wf8 affects 2 products, including: pip/Django:\u003e= 1.1, \u003c 1.1.4; pip/Django:\u003e= 1.2, \u003c 1.2.5.

GHSA-5j2h-h5hg-3wf8HighCVSS 7.5

Cross-site request forgery in Django

Vendor

GitHub Security Advisories

Published

July 23, 2018

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2011-0696 →

📋 Description

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.

🎯 Affected products2

pip/Django:>= 1.1, < 1.1.4
pip/Django:>= 1.2, < 1.2.5

🔗 References (24)

https://nvd.nist.gov/vuln/detail/CVE-2011-0696
https://bugzilla.redhat.com/show_bug.cgi?id=676357
https://github.com/advisories/GHSA-5j2h-h5hg-3wf8
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html
http://openwall.com/lists/oss-security/2011/02/09/6
http://secunia.com/advisories/43230
http://secunia.com/advisories/43297
http://secunia.com/advisories/43382
http://secunia.com/advisories/43426
http://www.debian.org/security/2011/dsa-2163
http://www.mandriva.com/security/advisories?name=MDVSA-2011:031
http://www.securityfocus.com/bid/46296
http://www.ubuntu.com/usn/USN-1066-1
http://www.vupen.com/english/advisories/2011/0372
http://www.vupen.com/english/advisories/2011/0388
http://www.vupen.com/english/advisories/2011/0429
http://www.vupen.com/english/advisories/2011/0439
http://www.vupen.com/english/advisories/2011/0441
https://github.com/django/django/commit/408c5c873ce1437c7eee9544ff279ecbad7e150a
https://github.com/django/django/commit/818e70344e7193f6ebc73c82ed574e6ce3c91afc
http://www.djangoproject.com/weblog/2011/feb/08/security
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-10.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-30.yaml