PYSEC-2015-19 — Vulnetix

PYSEC-2015-19 PUBLISHED

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

Affected Products

Vendor	Product	Versions
PyPI	django	1.8, 1.8.1, 1.8

Timeline

Jun 2, 2015 CVE Published
May 7, 2024 CVE Updated

References

https://www.djangoproject.com/weblog/2015/may/20/security-release/ article
http://www.securityfocus.com/bid/74960 url

Open in Interactive Console →