CVE-2007-0404

Name of the Vulnerable Software and Affected Versions Django version 0.95

Description The issue arises from the bin/compile-messages.py script in Django, which fails to properly quote argument strings before invoking the msgfmt program through the os.system function. This oversight allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.

Recommendations For Django version 0.95, consider modifying the bin/compile-messages.py script to properly quote argument strings before invoking the msgfmt program to prevent command execution via shell metacharacters. As a temporary workaround, restrict access to the bin/compile-messages.py script and avoid using it with untrusted .po or .mo files until a proper fix is applied.