{"id":"CVE-2016-7401","details":"The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.","aliases":["GHSA-crhm-qpjc-cm64","PYSEC-2016-3"],"modified":"2026-04-16T01:38:33.400448474Z","published":"2016-10-03T18:59:13.137Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:11333-1","openSUSE-SU-2024:12248-1","openSUSE-SU-2024:13158-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14073-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2025:14741-1","openSUSE-SU-2026:10005-1","openSUSE-SU-2026:10349-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:djangoproject:django:1.9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"1.9.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","extracted_events":[{"last_affected":"12.04"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","extracted_events":[{"last_affected":"14.04"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","extracted_events":[{"last_affected":"16.04"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2038.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2039.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2040.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2041.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2042.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2043.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3678"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93182"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036899"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3089-1"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"last_affected":"9fbdc48c493f43961173bab8f23d633ab41a9608"},{"last_affected":"e70a309c428cfd4e600dc9fa0c7269b1e7a8efcd"},{"last_affected":"c00335997744196738368f46c30ef2eeaa0ac849"},{"last_affected":"37935743edbf60201adb1b53b56b8cafa754c69a"},{"last_affected":"dafddb6b8c0eb778072bec1ccd536bafad0eb936"},{"last_affected":"b29316c54bb3465265ff931e807229f13349457d"},{"last_affected":"6e749c21e77dc74af068c8e943a6e6850ae0bb24"},{"last_affected":"8a2a3a63b83375d9322c077b6356007e0bef5939"},{"last_affected":"2234d1f08d079a3e4be4f1a89847dc294a4a5c1a"},{"last_affected":"e8bb7464c562388da48bca04c5996fe16a0c3619"}],"database_specific":{"cpe":["cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.8.14"},{"last_affected":"1.9.1"},{"last_affected":"1.9.2"},{"last_affected":"1.9.3"},{"last_affected":"1.9.4"},{"last_affected":"1.9.5"},{"last_affected":"1.9.6"},{"last_affected":"1.9.7"},{"last_affected":"1.9.8"},{"last_affected":"1.9.9"}],"source":"CPE_FIELD"}}],"versions":["1.0","1.1","1.2","1.2.1","1.3","1.4","1.7a2","1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.8a1","1.8b1","1.8b2","1.8c1","1.9","1.9.1","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","1.9a1","1.9b1","1.9rc1","1.9rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-7401.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}