Djangoproject 1.8.14 Bypass a restriction or similar CSRF Vulnerability
2 Jan. 2017
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
A vulnerability was reported in Django. A remote user can conduct cross-site request forgery attacks.
A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will exploit a flaw in the interaction between Google Analytics and Django's cookie parsing code and set arbitrary cookies to take actions on the target interface acting as the target user.
Web sites that use Google Analytics are affected.