CVE-2007-0404
Published: 23 January 2007
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
upstream |
Released
(0.95.1)
|
dapper |
Does not exist
|
|
edgy |
Does not exist
|
|
feisty |
Not vulnerable
|
|
gutsy |
Not vulnerable
|
|
hardy |
Not vulnerable
|