J. Carlos Nieto

**Name of the Vulnerable Software and Affected Versions** Django version 0.96 **Description** A cross-site request forgery (CSRF) issue exists in the admin panel, allowing remote attackers to change passwords of arbitrary users via a request to "admin/auth/user/1/password/". This issue is disputed by Debian due to the product documentation recommending a CSRF protection module. However, the default configuration does not include this module, making it a concern. **Recommendations** For Django version 0.96, consider using the recommended CSRF protection module to mitigate the risk of exploitation. As a temporary workaround, restrict access to the admin panel to minimize the risk of arbitrary password changes.

**Name of the Vulnerable Software and Affected Versions** Smarty version 2.6.1 **Description** A remote file inclusion issue in the unit test/test cases.php file of Smarty allows remote attackers to execute arbitrary PHP code via a URL in the `SMARTY DIR` parameter. **Recommendations** For Smarty version 2.6.1, consider restricting access to the `unit test/test cases.php` file to minimize the risk of exploitation. As a temporary workaround, avoid using the `SMARTY DIR` parameter in the affected file until the issue is resolved.