Search for packages
| purl | pkg:deb/debian/python-django@1.2.3-3%2Bsqueeze15 |
| Next non-vulnerable version | 3:3.2.25-0+deb12u3 |
| Latest non-vulnerable version | 3:5.2.14-2 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3kza-a88p-kfg7
Aliases: CVE-2016-6186 GHSA-c8c8-9472-w52h PYSEC-2016-2 |
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. |
Affected by 5 other vulnerabilities. |
|
VCID-3mfy-uj9u-d7de
Aliases: CVE-2019-12781 GHSA-6c7v-2f49-8h26 PYSEC-2019-10 |
silent downgrade |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-3sg7-t77d-rkc6
Aliases: CVE-2014-0473 GHSA-89hj-xfx5-7q66 PYSEC-2014-2 |
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. |
Affected by 8 other vulnerabilities. |
|
VCID-5vmb-d4xp-zfgy
Aliases: CVE-2015-0219 GHSA-7qfw-j7hp-v45g PYSEC-2015-4 |
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. |
Affected by 8 other vulnerabilities. |
|
VCID-6wah-r8vr-5qc4
Aliases: CVE-2016-2513 GHSA-fp6p-5xvw-m74f PYSEC-2016-16 |
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
Affected by 8 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-71t1-69yq-c7h6
Aliases: CVE-2014-1418 GHSA-q7q2-qf2q-rw3w PYSEC-2014-19 |
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. |
Affected by 8 other vulnerabilities. |
|
VCID-7rz2-nqdn-hycc
Aliases: CVE-2014-0480 GHSA-f7cm-ccfp-3q4r PYSEC-2014-4 |
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. |
Affected by 8 other vulnerabilities. |
|
VCID-8gus-er59-1qak
Aliases: CVE-2016-9014 GHSA-3f2c-jm6v-cr35 PYSEC-2016-18 |
multiple issues |
Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-8v2c-7739-2ugp
Aliases: CVE-2014-0483 GHSA-rw75-m7gp-92m3 PYSEC-2014-7 |
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. |
Affected by 8 other vulnerabilities. |
|
VCID-912q-3eks-4yfm
Aliases: CVE-2015-0220 GHSA-gv98-g628-m9x5 PYSEC-2015-5 |
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. |
Affected by 8 other vulnerabilities. |
|
VCID-9bqp-b6rw-mye7
Aliases: CVE-2014-3730 GHSA-vq3h-3q7v-9prw PYSEC-2014-20 |
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." |
Affected by 8 other vulnerabilities. |
|
VCID-9kvc-1bdz-n3bd
Aliases: CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
denial of service |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-bahz-gfxv-e3b2
Aliases: CVE-2015-2317 GHSA-7fq8-4pv5-5w5c PYSEC-2015-9 |
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. |
Affected by 8 other vulnerabilities. |
|
VCID-ffsr-th58-p3ct
Aliases: CVE-2014-0474 GHSA-wqjj-hx84-v449 PYSEC-2014-3 |
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." |
Affected by 8 other vulnerabilities. |
|
VCID-g2z3-2h8p-c7ge
Aliases: CVE-2013-4315 GHSA-vjjp-9r83-22rc PYSEC-2013-20 |
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. |
Affected by 8 other vulnerabilities. |
|
VCID-jfya-694v-myar
Aliases: CVE-2015-5143 GHSA-h582-2pch-3xv3 PYSEC-2015-20 |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. |
Affected by 8 other vulnerabilities. |
|
VCID-kq8u-td31-uqaa
Aliases: CVE-2015-5963 GHSA-pgxh-wfw4-jx2v PYSEC-2015-22 |
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. |
Affected by 8 other vulnerabilities. |
|
VCID-ksh8-pazn-dbca
Aliases: CVE-2016-2512 GHSA-pw27-w7w4-9qc7 PYSEC-2016-15 |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. |
Affected by 8 other vulnerabilities. |
|
VCID-mccp-khb9-qkb7
Aliases: CVE-2015-5144 GHSA-q5qw-4364-5hhm PYSEC-2015-10 |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. |
Affected by 8 other vulnerabilities. |
|
VCID-ps24-pjj4-uqd1
Aliases: CVE-2013-1443 GHSA-4c42-4rxm-x6qf PYSEC-2013-18 |
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. |
Affected by 8 other vulnerabilities. |
|
VCID-qy2a-mvpz-q7eh
Aliases: CVE-2016-9013 GHSA-mv8g-fhh6-6267 PYSEC-2016-17 |
multiple issues |
Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-r7tk-79xy-jkhj
Aliases: CVE-2014-0481 GHSA-296w-6qhq-gf92 PYSEC-2014-5 |
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. |
Affected by 8 other vulnerabilities. |
|
VCID-rq19-9v21-47dy
Aliases: CVE-2014-0472 GHSA-rvq6-mrpv-m6rm PYSEC-2014-1 |
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." |
Affected by 8 other vulnerabilities. |
|
VCID-rxxr-sseq-k7a9
Aliases: CVE-2015-8213 GHSA-6wcr-wcqm-3mfh PYSEC-2015-11 |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. |
Affected by 8 other vulnerabilities. |
|
VCID-ta66-7qrm-sbhu
Aliases: CVE-2015-0221 GHSA-jhjg-w2cp-5j44 PYSEC-2015-6 |
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. |
Affected by 8 other vulnerabilities. |
|
VCID-th75-ys47-d3h8
Aliases: CVE-2015-5964 GHSA-x38m-486c-2wr9 PYSEC-2015-23 |
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. |
Affected by 8 other vulnerabilities. |
|
VCID-u4a7-uvcb-9kf8
Aliases: CVE-2014-0482 GHSA-625g-gx8c-xcmg PYSEC-2014-6 |
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. |
Affected by 8 other vulnerabilities. |
|
VCID-vdpf-jddk-syda
Aliases: CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16 |
insufficient validation |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-x212-mskt-9bbw
Aliases: CVE-2013-6044 GHSA-9cwg-mhxf-hh59 PYSEC-2013-21 |
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. |
Affected by 8 other vulnerabilities. |
|
VCID-x61x-6b6k-h3bn
Aliases: CVE-2018-7537 GHSA-2f9x-5v75-3qv4 PYSEC-2018-6 |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||