CVE-2015-3982

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

Published: Jun 2, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-3982
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
djangoproject / django	1.8.1	1.8.1.x
djangoproject / django	1.8.0	1.8.0.x

http://www.securityfocus.com/bid/74960
https://www.djangoproject.com/weblog/2015/may/20/security-release/

Vulnerability Database

289,697

CVE-2015-3982