Search for packages
| purl | pkg:deb/debian/python-django@2:2.2.28-1~deb11u11?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7tph-k8q2-bue2 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2024-41991
CVE-2024-41991 GHSA-r836-hh6v-rg5g PYSEC-2024-69 |
| VCID-e2jd-yd4j-kqgt | Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
CVE-2024-45231
GHSA-rrqc-c2jx-6jgv |
| VCID-m91a-6235-nye9 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
BIT-django-2024-42005
CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
| VCID-q12d-kv8p-8ff7 | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
BIT-django-2024-39329
CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
| VCID-u3zk-tff2-aua9 | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
BIT-django-2024-39614
CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
| VCID-v1xr-z4zu-yfb4 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
BIT-django-2024-41989
CVE-2024-41989 GHSA-jh75-99hh-qvx9 PYSEC-2024-67 |
| VCID-z27q-zfpz-ckby | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
BIT-django-2024-39330
CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |