Moderate severityNVD Advisory· Published Sep 14, 2010· Updated Apr 29, 2026

CVE-2010-3082

Description

Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	>= 1.2, < 1.2.2	1.2.2

Affected products

Djangoproject/Django3 versions
cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*

Patches

7f84657b6b22

[1.2.X] Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow. Backport of [13698] from trunk.

https://github.com/django/djangoJames BennettSep 9, 2010via ghsa

commit

3 files changed · +11 −5

django/middleware/csrf.py+4 −2 modified

@@ -13,6 +13,7 @@
 from django.core.urlresolvers import get_callable
 from django.utils.cache import patch_vary_headers
 from django.utils.hashcompat import md5_constructor
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 
 _POST_FORM_RE = \
@@ -52,7 +53,8 @@ def _make_legacy_session_token(session_id):
 
 def get_token(request):
     """
-    Returns the the CSRF token required for a POST form.
+    Returns the the CSRF token required for a POST form. No assumptions should
+    be made about what characters might be in the CSRF token.
 
     A side effect of calling this function is to make the the csrf_protect
     decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
@@ -233,7 +235,7 @@ def add_csrf_field(match):
                 """Returns the matched <form> tag plus the added <input> element"""
                 return mark_safe(match.group() + "<div style='display:none;'>" + \
                 "<input type='hidden' " + idattributes.next() + \
-                " name='csrfmiddlewaretoken' value='" + csrf_token + \
+                " name='csrfmiddlewaretoken' value='" + escape(csrf_token) + \
                 "' /></div>")
 
             # Modify any POST forms

django/template/defaulttags.py+2 −1 modified

@@ -9,6 +9,7 @@
 from django.template import get_library, Library, InvalidTemplateLibrary
 from django.template.smartif import IfParser, Literal
 from django.conf import settings
+from django.utils.html import escape
 from django.utils.encoding import smart_str, smart_unicode
 from django.utils.safestring import mark_safe
 
@@ -42,7 +43,7 @@ def render(self, context):
             if csrf_token == 'NOTPROVIDED':
                 return mark_safe(u"")
             else:
-                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
+                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % escape(csrf_token))
         else:
             # It's very probable that the token is missing because of
             # misconfiguration, so we raise a warning

tests/regressiontests/csrf_tests/tests.py+5 −2 modified

@@ -6,6 +6,7 @@
 from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
 from django.core.context_processors import csrf
 from django.contrib.sessions.middleware import SessionMiddleware
+from django.utils.html import escape
 from django.utils.importlib import import_module
 from django.conf import settings
 from django.template import RequestContext, Template
@@ -56,7 +57,9 @@ def is_secure(self):
         return getattr(self, '_is_secure', False)
 
 class CsrfMiddlewareTest(TestCase):
-    _csrf_id = "1"
+    # The csrf token is potentially from an untrusted source, so could have
+    # characters that need escaping
+    _csrf_id = "<1>"
 
     # This is a valid session token for this ID and secret key.  This was generated using
     # the old code that we're to be backwards-compatible with.  Don't use the CSRF code
@@ -101,7 +104,7 @@ def _get_POST_session_request_no_token(self):
         return req
 
     def _check_token_present(self, response, csrf_id=None):
-        self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
+        self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % escape(csrf_id or self._csrf_id))
 
     # Check the post processing and outgoing cookie
     def test_process_response_no_csrf_cookie(self):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.djangoproject.com/weblog/2010/sep/08/security-release/nvdPatchVendor Advisory
www.securityfocus.com/bid/43116nvdPatch
github.com/advisories/GHSA-fxpg-gg9g-76gjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2010-3082ghsaADVISORY
marc.infonvdWEB
www.djangoproject.com/weblog/2010/sep/08/security-releaseghsaWEB
www.ubuntu.com/usn/USN-1004-1nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/61729nvdWEB
github.com/django/django/commit/7f84657b6b2243cc787bdb9f296710c8d13ad0bdghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2010-12.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000