High severity7.5NVD Advisory· Published Oct 3, 2016· Updated Jun 17, 2026
CVE-2016-7401
CVE-2016-7401
Description
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | < 1.8.15 | 1.8.15 |
DjangoPyPI | >= 1.9, < 1.9.10 | 1.9.10 |
Affected products
8- ghsa-coords8 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2-rubygem-http-cookie&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-http-cookie&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207
< 1.8.15+ 7 more
- (no CPE)range: < 1.8.15
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.0.5-1.4
- (no CPE)range: < 1.0.5-1.1
- (no CPE)range: < 1.8.19-3.6.1
- (no CPE)range: < 1.8.19-3.4.1
Patches
Vulnerability mechanics
References
20- www.djangoproject.com/weblog/2016/sep/26/security-releases/nvdPatchVendor Advisory
- www.debian.org/security/2016/dsa-3678nvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/93182nvdThird Party Advisory
- www.securitytracker.com/id/1036899nvdThird Party Advisory
- www.ubuntu.com/usn/USN-3089-1nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-crhm-qpjc-cm64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-7401ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2016-2038.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2039.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2040.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2041.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2042.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2043.htmlnvdWEB
- github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6aghsaWEB
- github.com/django/django/commit/6fe846a8f08dc959003f298b5407e321c6fe3735ghsaWEB
- github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64aghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-3.yamlghsaWEB
- web.archive.org/web/20200227223637/http://www.securityfocus.com/bid/93182ghsaWEB
- web.archive.org/web/20210927195154/http://www.securitytracker.com/id/1036899ghsaWEB
- www.djangoproject.com/weblog/2016/sep/26/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.