CVE-2007-5828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5828): Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/.
Seemant, are we affected by this?
Hi Robert & Security Co., This is a non-issue for django. The person who raised the issue, brought it up to django's upstream and was shown their CSRF middleware to protect against these attacks (documented here:http://www.djangoproject.com/documentation/0.96/csrf/ ). The reporter even *agreed* with upstream that there was, indeed, no issue. The reporter then went on to file the CVE.
Closing as INVALID then. Upstream should notify Mitre if they contest the CVE entry and it will get noted.