Search for packages
| purl | pkg:deb/debian/python-django@1.4.5-1%2Bdeb7u16 |
| Next non-vulnerable version | 3:3.2.25-0+deb12u3 |
| Latest non-vulnerable version | 3:5.2.14-2 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1c7j-evpp-53eb
Aliases: BIT-django-2024-39330 CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-1umb-2rxg-bbdk
Aliases: BIT-django-2024-53907 CVE-2024-53907 GHSA-8498-2h75-472j PYSEC-2024-156 |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-2bh9-k4at-r7hz
Aliases: BIT-django-2020-7471 CVE-2020-7471 GHSA-hmr4-m2h5-33qx PYSEC-2020-35 |
sql injection |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-2bx5-jaat-u7ek
Aliases: CVE-2015-5964 GHSA-x38m-486c-2wr9 PYSEC-2015-23 |
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. |
Affected by 45 other vulnerabilities. |
|
VCID-2f2p-wfbs-73hz
Aliases: BIT-django-2022-23833 CVE-2022-23833 GHSA-6cw3-g6wv-c2xv PYSEC-2022-20 |
Affected by 16 other vulnerabilities. |
|
|
VCID-2jvg-udsm-nkax
Aliases: CVE-2018-14574 GHSA-5hg3-6c2f-f3wr PYSEC-2018-2 |
open redirect |
Affected by 38 other vulnerabilities. |
|
VCID-3d6k-rdsh-k7hm
Aliases: BIT-django-2025-13372 CVE-2025-13372 GHSA-rqw2-ghq9-44m7 PYSEC-2025-104 |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-3wbe-pfau-9uhb
Aliases: CVE-2021-23336 |
multiple issues |
Affected by 16 other vulnerabilities. |
|
VCID-5a2y-2m62-1qfa
Aliases: BIT-django-2020-13254 CVE-2020-13254 GHSA-wpjr-j57x-wxfw PYSEC-2020-31 |
multiple issues |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-5sxw-p38k-q7cp
Aliases: CVE-2018-7537 GHSA-2f9x-5v75-3qv4 PYSEC-2018-6 |
denial of service |
Affected by 45 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-68nb-696n-n3bf
Aliases: BIT-django-2024-41991 CVE-2024-41991 GHSA-r836-hh6v-rg5g PYSEC-2024-69 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-697r-xhy8-efa5
Aliases: CVE-2016-2513 GHSA-fp6p-5xvw-m74f PYSEC-2016-16 |
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
Affected by 45 other vulnerabilities. |
|
VCID-6bct-bfhb-xugt
Aliases: BIT-django-2022-34265 CVE-2022-34265 GHSA-p64x-8rxx-wf6q PYSEC-2022-213 |
sql injection |
Affected by 16 other vulnerabilities. |
|
VCID-6fef-e9tf-7kag
Aliases: CVE-2015-5963 GHSA-pgxh-wfw4-jx2v PYSEC-2015-22 |
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. |
Affected by 45 other vulnerabilities. |
|
VCID-6p2m-vyft-xfe8
Aliases: CVE-2015-8213 GHSA-6wcr-wcqm-3mfh PYSEC-2015-11 |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. |
Affected by 45 other vulnerabilities. |
|
VCID-7jbt-5zw2-vff2
Aliases: BIT-django-2025-64460 CVE-2025-64460 GHSA-vrcr-9hj9-jcg6 PYSEC-2025-109 |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-7u6e-a3ng-fude
Aliases: BIT-django-2023-43665 CVE-2023-43665 GHSA-h8gc-pgj2-vjm3 PYSEC-2023-226 |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-ax42-esfz-vud2
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
|
VCID-ax7m-uv4s-zkc1
Aliases: BIT-django-2025-57833 CVE-2025-57833 GHSA-6w2r-r2m5-xq5w PYSEC-2025-105 |
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-azdn-r9pz-pqd4
Aliases: CVE-2015-5143 GHSA-h582-2pch-3xv3 PYSEC-2015-20 |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. |
Affected by 45 other vulnerabilities. |
|
VCID-bjn5-qpmt-qffx
Aliases: BIT-django-2024-27351 CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-bq5s-uknu-z7cn
Aliases: BIT-django-2024-42005 CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-bxu2-wqcg-1ueh
Aliases: CVE-2019-12308 GHSA-7rp2-fm2h-wchj PYSEC-2019-79 |
cross-site scripting |
Affected by 38 other vulnerabilities. |
|
VCID-cbg1-8tp8-7ube
Aliases: CVE-2016-6186 GHSA-c8c8-9472-w52h PYSEC-2016-2 |
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. |
Affected by 45 other vulnerabilities. |
|
VCID-chey-b3c1-pbe5
Aliases: BIT-django-2024-56374 CVE-2024-56374 GHSA-qcgg-j2x8-h9g8 PYSEC-2025-1 |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-cps4-86gt-kyet
Aliases: CVE-2015-2316 GHSA-j3j3-jrfh-cm2w PYSEC-2015-18 |
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. |
Affected by 57 other vulnerabilities. |
|
VCID-ctk2-ykg7-h7ag
Aliases: BIT-django-2023-41164 CVE-2023-41164 GHSA-7h4p-27mh-hmrw PYSEC-2023-225 |
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-em3c-ceug-cubp
Aliases: BIT-django-2025-32873 CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
denial of service |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-evu1-efcj-gfc5
Aliases: CVE-2019-14235 GHSA-v9qg-3j8p-r63v PYSEC-2019-14 |
multiple issues |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-fbee-vj2y-cfeb
Aliases: BIT-django-2025-48432 CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
content spoofing |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-fc6y-y2b1-v3d5
Aliases: BIT-django-2021-44420 CVE-2021-44420 GHSA-v6rh-hp5x-86rv PYSEC-2021-439 |
access restriction bypass |
Affected by 16 other vulnerabilities. |
|
VCID-fkch-835a-4ffd
Aliases: CVE-2015-5144 GHSA-q5qw-4364-5hhm PYSEC-2015-10 |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. |
Affected by 45 other vulnerabilities. |
|
VCID-fynq-usj6-rfd3
Aliases: CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16 |
insufficient validation |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-hs1y-thzf-qqct
Aliases: CVE-2016-9013 GHSA-mv8g-fhh6-6267 PYSEC-2016-17 |
multiple issues |
Affected by 45 other vulnerabilities. |
|
VCID-j1jc-m7e2-5yck
Aliases: CVE-2018-7536 GHSA-r28v-mw67-m5p9 PYSEC-2018-5 |
denial of service |
Affected by 45 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-kmv2-339j-8ugc
Aliases: BIT-django-2023-36053 CVE-2023-36053 GHSA-jh3w-4vvf-mjgr PYSEC-2023-100 |
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. |
Affected by 16 other vulnerabilities. |
|
VCID-kv5d-p5n4-r7dp
Aliases: BIT-django-2024-39614 CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-kxtt-861w-efg6
Aliases: CVE-2013-6044 GHSA-9cwg-mhxf-hh59 PYSEC-2013-21 |
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. |
Affected by 58 other vulnerabilities. |
|
VCID-n9cz-g44c-4fht
Aliases: CVE-2019-14233 GHSA-h5jv-4p7w-64jg PYSEC-2019-12 |
multiple issues |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-nh19-fbce-wbfu
Aliases: CVE-2016-2512 GHSA-pw27-w7w4-9qc7 PYSEC-2016-15 |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. |
Affected by 45 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-nyc2-p1rp-xkb4
Aliases: BIT-django-2025-26699 CVE-2025-26699 GHSA-p3fp-8748-vqfq PYSEC-2025-13 |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-ptk1-k7b2-gkdm
Aliases: CVE-2017-7233 GHSA-37hp-765x-j95x PYSEC-2017-9 |
multiple issues |
Affected by 45 other vulnerabilities. |
|
VCID-qg2s-fuw3-nbda
Aliases: BIT-django-2022-36359 CVE-2022-36359 GHSA-8x94-hmjh-97hq PYSEC-2022-245 |
Affected by 16 other vulnerabilities. |
|
|
VCID-s4vz-wfcp-aygd
Aliases: CVE-2016-9014 GHSA-3f2c-jm6v-cr35 PYSEC-2016-18 |
multiple issues |
Affected by 45 other vulnerabilities. |
|
VCID-sz4x-rr8f-a3hf
Aliases: BIT-django-2024-39329 CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-u15a-4ste-43cy
Aliases: BIT-django-2025-64459 CVE-2025-64459 GHSA-frmv-pr5f-9mcr PYSEC-2025-108 |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-v8hg-78p1-87bh
Aliases: CVE-2019-14234 GHSA-6r97-cj55-9hrq PYSEC-2019-13 |
multiple issues |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-vm2w-caad-nyd3
Aliases: BIT-django-2024-41989 CVE-2024-41989 GHSA-jh75-99hh-qvx9 PYSEC-2024-67 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-vpgq-jhzc-j7h2
Aliases: BIT-django-2025-59681 CVE-2025-59681 GHSA-hpr9-3m2g-3j9p PYSEC-2025-106 |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-wj2g-v6dz-2yeq
Aliases: CVE-2019-6975 GHSA-wh4h-v3f2-r2pp PYSEC-2019-18 |
denial of service |
Affected by 38 other vulnerabilities. |
|
VCID-wsx7-6bfa-pugr
Aliases: CVE-2019-3498 GHSA-337x-4q8g-prc5 PYSEC-2019-17 |
content spoofing |
Affected by 38 other vulnerabilities. |
|
VCID-x129-emvy-mqfy
Aliases: CVE-2014-0483 GHSA-rw75-m7gp-92m3 PYSEC-2014-7 |
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. |
Affected by 58 other vulnerabilities. |
|
VCID-x2hp-rmcn-gbah
Aliases: CVE-2019-14232 GHSA-c4qh-4vgv-qc6g PYSEC-2019-11 |
multiple issues |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-x4s4-qav9-xbet
Aliases: BIT-django-2024-24680 CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28 |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-xb3c-6rew-z3ba
Aliases: BIT-django-2020-24584 CVE-2020-24584 GHSA-fr28-569j-53c4 PYSEC-2020-34 |
multiple issues |
Affected by 16 other vulnerabilities. |
|
VCID-xmq2-18at-y3gj
Aliases: CVE-2025-59682 GHSA-q95w-c7qg-hrff |
Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-xu9t-qtjz-bud8
Aliases: BIT-django-2020-13596 CVE-2020-13596 GHSA-2m34-jcjv-45xf PYSEC-2020-32 |
multiple issues |
Affected by 38 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-yb2r-r8gy-3yhe
Aliases: CVE-2017-7234 GHSA-h4hv-m4h4-mhwg PYSEC-2017-10 |
multiple issues |
Affected by 45 other vulnerabilities. |
|
VCID-ypwa-2rh9-gyex
Aliases: CVE-2019-12781 GHSA-6c7v-2f49-8h26 PYSEC-2019-10 |
silent downgrade |
Affected by 38 other vulnerabilities. |
|
VCID-zuca-q98m-w7bk
Aliases: CVE-2016-7401 GHSA-crhm-qpjc-cm64 PYSEC-2016-3 |
cross-site request forgery |
Affected by 45 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2bx5-jaat-u7ek | The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. |
CVE-2015-5964
GHSA-x38m-486c-2wr9 PYSEC-2015-23 |
| VCID-697r-xhy8-efa5 | The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
CVE-2016-2513
GHSA-fp6p-5xvw-m74f PYSEC-2016-16 |
| VCID-6fef-e9tf-7kag | contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. |
CVE-2015-5963
GHSA-pgxh-wfw4-jx2v PYSEC-2015-22 |
| VCID-6p2m-vyft-xfe8 | The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. |
CVE-2015-8213
GHSA-6wcr-wcqm-3mfh PYSEC-2015-11 |
| VCID-9bkv-g3r4-u7h7 | The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. |
CVE-2014-0482
GHSA-625g-gx8c-xcmg PYSEC-2014-6 |
| VCID-9zch-bnz9-97g4 | Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. |
CVE-2013-4315
GHSA-vjjp-9r83-22rc PYSEC-2013-20 |
| VCID-a799-3q3k-1bc2 | The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. |
CVE-2015-0220
GHSA-gv98-g628-m9x5 PYSEC-2015-5 |
| VCID-azdn-r9pz-pqd4 | The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. |
CVE-2015-5143
GHSA-h582-2pch-3xv3 PYSEC-2015-20 |
| VCID-bnm5-r2rs-zyeb | The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." |
CVE-2014-0472
GHSA-rvq6-mrpv-m6rm PYSEC-2014-1 |
| VCID-d156-9d9y-nygj | The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." |
CVE-2014-3730
GHSA-vq3h-3q7v-9prw PYSEC-2014-20 |
| VCID-fkch-835a-4ffd | Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. |
CVE-2015-5144
GHSA-q5qw-4364-5hhm PYSEC-2015-10 |
| VCID-gky3-h8cp-mue9 | The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. |
CVE-2015-2317
GHSA-7fq8-4pv5-5w5c PYSEC-2015-9 |
| VCID-gzrn-p744-g7f2 | The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. |
CVE-2014-0480
GHSA-f7cm-ccfp-3q4r PYSEC-2014-4 |
| VCID-jvqf-jgv5-3kh5 | The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. |
CVE-2013-0306
GHSA-g8xg-jgj6-49r3 PYSEC-2013-17 |
| VCID-kn6j-a6az-skdu | Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. |
CVE-2014-1418
GHSA-q7q2-qf2q-rw3w PYSEC-2014-19 |
| VCID-kxtt-861w-efg6 | The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. |
CVE-2013-6044
GHSA-9cwg-mhxf-hh59 PYSEC-2013-21 |
| VCID-n9xn-xrqw-qbfk | The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. |
CVE-2015-0221
GHSA-jhjg-w2cp-5j44 PYSEC-2015-6 |
| VCID-nh19-fbce-wbfu | The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. |
CVE-2016-2512
GHSA-pw27-w7w4-9qc7 PYSEC-2016-15 |
| VCID-q8cc-4wb1-afed | The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. |
CVE-2013-1443
GHSA-4c42-4rxm-x6qf PYSEC-2013-18 |
| VCID-qqqc-epf2-pqh9 | regression |
DSA-2740-2 python-django
|
| VCID-ty5v-6ub3-fufy | The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. |
CVE-2014-0481
GHSA-296w-6qhq-gf92 PYSEC-2014-5 |
| VCID-vpja-nq3w-tka6 | The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. |
CVE-2014-0473
GHSA-89hj-xfx5-7q66 PYSEC-2014-2 |
| VCID-x129-emvy-mqfy | The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. |
CVE-2014-0483
GHSA-rw75-m7gp-92m3 PYSEC-2014-7 |
| VCID-xpsj-hx41-nub8 | The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." |
CVE-2014-0474
GHSA-wqjj-hx84-v449 PYSEC-2014-3 |
| VCID-y2nn-vgsc-f3er | Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. |
CVE-2015-0219
GHSA-7qfw-j7hp-v45g PYSEC-2015-4 |