Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mm3u-a8ar-b3hp
Vulnerability ID VCID-mm3u-a8ar-b3hp
Aliases CVE-2011-4136
GHSA-x88j-93vc-wpmp
PYSEC-2011-1
Summary django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 4.0 http://openwall.com/lists/oss-security/2011/09/11/1
cvssv4 6.9 http://openwall.com/lists/oss-security/2011/09/11/1
generic_textual MODERATE http://openwall.com/lists/oss-security/2011/09/11/1
cvssv3.1 4.0 http://openwall.com/lists/oss-security/2011/09/13/2
cvssv4 6.9 http://openwall.com/lists/oss-security/2011/09/13/2
generic_textual MODERATE http://openwall.com/lists/oss-security/2011/09/13/2
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
epss 0.01195 https://api.first.org/data/v1/epss?cve=CVE-2011-4136
cvssv3.1 4.0 https://bugzilla.redhat.com/show_bug.cgi?id=737366
cvssv4 6.9 https://bugzilla.redhat.com/show_bug.cgi?id=737366
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=737366
cvssv3.1 4.0 https://github.com/advisories/GHSA-x88j-93vc-wpmp
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-x88j-93vc-wpmp
cvssv4 6.9 https://github.com/advisories/GHSA-x88j-93vc-wpmp
generic_textual MODERATE https://github.com/advisories/GHSA-x88j-93vc-wpmp
cvssv3.1 4.0 https://github.com/django/django
cvssv4 6.9 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 4.0 https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296
cvssv4 6.9 https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296
generic_textual MODERATE https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296
cvssv3.1 4.0 https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840
cvssv4 6.9 https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840
generic_textual MODERATE https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840
cvssv3.1 4.0 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml
cvssv4 6.9 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml
cvssv3.1 4.0 https://hermes.opensuse.org/messages/14700881
cvssv4 6.9 https://hermes.opensuse.org/messages/14700881
generic_textual MODERATE https://hermes.opensuse.org/messages/14700881
cvssv3.1 4.0 https://nvd.nist.gov/vuln/detail/CVE-2011-4136
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2011-4136
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2011-4136
cvssv3.1 4.0 https://www.djangoproject.com/weblog/2011/sep/09
cvssv4 6.9 https://www.djangoproject.com/weblog/2011/sep/09
generic_textual MODERATE https://www.djangoproject.com/weblog/2011/sep/09
cvssv3.1 4.0 https://www.djangoproject.com/weblog/2011/sep/10/127
cvssv4 6.9 https://www.djangoproject.com/weblog/2011/sep/10/127
generic_textual MODERATE https://www.djangoproject.com/weblog/2011/sep/10/127
cvssv3.1 4.0 http://www.debian.org/security/2011/dsa-2332
cvssv4 6.9 http://www.debian.org/security/2011/dsa-2332
generic_textual MODERATE http://www.debian.org/security/2011/dsa-2332
Reference id Reference type URL
http://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
https://api.first.org/data/v1/epss?cve=CVE-2011-4136
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4136
http://secunia.com/advisories/46614
https://github.com/advisories/GHSA-x88j-93vc-wpmp
https://github.com/django/django
https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296
https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127
https://www.djangoproject.com/weblog/2011/sep/10/127/
http://www.debian.org/security/2011/dsa-2332
641405 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641405
CVE-2011-4136 https://nvd.nist.gov/vuln/detail/CVE-2011-4136
USN-1297-1 https://usn.ubuntu.com/1297-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at http://openwall.com/lists/oss-security/2011/09/11/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at http://openwall.com/lists/oss-security/2011/09/11/1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at http://openwall.com/lists/oss-security/2011/09/13/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at http://openwall.com/lists/oss-security/2011/09/13/2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=737366
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=737366
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/advisories/GHSA-x88j-93vc-wpmp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/advisories/GHSA-x88j-93vc-wpmp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/ac7c3a110f906e4dfed3a17451bf7fd9fcb81296
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/fbe2eead2fa9d808658ca582241bcacb02618840
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://hermes.opensuse.org/messages/14700881
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://hermes.opensuse.org/messages/14700881
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://www.djangoproject.com/weblog/2011/sep/09
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://www.djangoproject.com/weblog/2011/sep/09
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://www.djangoproject.com/weblog/2011/sep/10/127
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://www.djangoproject.com/weblog/2011/sep/10/127
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at http://www.debian.org/security/2011/dsa-2332
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at http://www.debian.org/security/2011/dsa-2332
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.78823
EPSS Score 0.01195
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:40:51.295173+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2011-1.yaml 38.0.0