CVE-2011-4136

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

Published: Oct 19, 2011
Updated: Nov 9, 2025
CVE: CVE-2011-4136
GHSA: GHSA-x88j-93vc-wpmp
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
djangoproject / django	-	1.2.6.x
djangoproject / django	1.2.5	1.2.5.x
djangoproject / django	0.95	0.95.x
djangoproject / django	1.0	1.0.x
djangoproject / django	1.3	1.3.x
djangoproject / django	1.1.2	1.1.2.x
djangoproject / django	1.0.1	1.0.1.x
djangoproject / django	1.1	1.1.x
djangoproject / django	1.2.1	1.2.1.x
djangoproject / django	1.2.4	1.2.4.x
djangoproject / django	0.91	0.91.x
djangoproject / django	1.0.2	1.0.2.x
djangoproject / django	1.2.3	1.2.3.x
djangoproject / django	1.3-alpha1	1.3-alpha1.x
djangoproject / django	1.1.3	1.1.3.x
djangoproject / django	1.2.1-2	1.2.1-2.x
djangoproject / django	1.2	1.2.x
djangoproject / django	0.95.1	0.95.1.x
djangoproject / django	0.96	0.96.x
djangoproject / django	1.3-alpha2	1.3-alpha2.x
djangoproject / django	1.1.0	1.1.0.x
djangoproject / django	1.2.2	1.2.2.x
Django	1.3.0	1.3.1
Django	1.2.0	1.2.7

Vulnerability Database

300,445

CVE-2011-4136

Deep Security Visibility Without the Complexity