{ "affected": [ { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:11", "name": "python-django" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.2.1" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:12", "name": "python-django" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.2.1" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:13", "name": "python-django" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.2.1" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:14", "name": "python-django" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.2.1" } ], "type": "ECOSYSTEM" } ] } ], "details": "Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module", "id": "DEBIAN-CVE-2007-5828", "modified": "2026-04-28T19:53:21.542824941Z", "published": "2007-11-05T19:46:00Z", "references": [ { "type": "ADVISORY", "url": "https://security-tracker.debian.org/tracker/CVE-2007-5828" } ], "upstream": [ "CVE-2007-5828" ] }