Search for packages
| purl | pkg:pypi/django@1.8b2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-325d-7dfk-sqd2
Aliases: CVE-2016-2513 GHSA-fp6p-5xvw-m74f PYSEC-2016-16 |
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
Affected by 18 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-6gss-ppm5-3yc9
Aliases: BIT-django-2022-36359 CVE-2022-36359 GHSA-8x94-hmjh-97hq PYSEC-2022-245 |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. |
Affected by 15 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-84mm-45p6-xkau
Aliases: CVE-2025-64458 GHSA-qw25-v68c-qjf3 |
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-896g-hqec-ryb9
Aliases: BIT-django-2025-48432 CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
Affected by 15 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-8jaq-53td-wbeg
Aliases: CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16 |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) |
Affected by 9 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-8teq-9xr9-q3fg
Aliases: CVE-2016-7401 GHSA-crhm-qpjc-cm64 PYSEC-2016-3 |
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. |
Affected by 16 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-9uzd-mmyv-mfh4
Aliases: CVE-2025-64459 GHSA-frmv-pr5f-9mcr |
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-bdms-nb18-guf9
Aliases: CVE-2017-7233 GHSA-37hp-765x-j95x PYSEC-2017-9 |
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. |
Affected by 12 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-br5x-v7md-47hp
Aliases: CVE-2015-8213 GHSA-6wcr-wcqm-3mfh PYSEC-2015-11 |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. |
Affected by 20 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-e2jd-yd4j-kqgt
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 22 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-gvvs-megy-9fc3
Aliases: CVE-2015-2316 GHSA-j3j3-jrfh-cm2w PYSEC-2015-18 |
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. |
Affected by 22 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-jumh-hkhx-7qc9
Aliases: CVE-2015-2317 GHSA-7fq8-4pv5-5w5c PYSEC-2015-9 |
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. |
Affected by 22 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-k6s1-gnmc-e3ed
Aliases: CVE-2016-9014 GHSA-3f2c-jm6v-cr35 PYSEC-2016-18 |
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. |
Affected by 14 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-khxh-hjmn-fbdq
Aliases: CVE-2015-3982 GHSA-6wgp-fwfm-mxp3 PYSEC-2015-19 |
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. |
Affected by 26 other vulnerabilities. |
|
VCID-mv1p-yxvp-pbh6
Aliases: CVE-2018-7536 GHSA-r28v-mw67-m5p9 PYSEC-2018-5 |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. |
Affected by 10 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-p543-5y7x-63hd
Aliases: GMS-2015-21 |
Denial-of-service possibility in logout() view by filling session store A session can be created when anonymously accessing the `django.contrib.auth.views.logout` view (provided it wasn't decorated with `django.contrib.auth.decorators.login_required` as done in the admin). This allows an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted. |
Affected by 21 other vulnerabilities. |
|
VCID-qm34-ec8s-tfd7
Aliases: BIT-django-2021-33203 CVE-2021-33203 GHSA-68w8-qjq3-2gfm PYSEC-2021-98 |
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. |
Affected by 14 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-sbr6-pybe-dubq
Aliases: CVE-2015-5144 GHSA-q5qw-4364-5hhm PYSEC-2015-10 |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. |
Affected by 23 other vulnerabilities. |
|
VCID-t8d7-68j2-suet
Aliases: CVE-2015-5145 GHSA-cqf7-ff9h-7967 PYSEC-2015-21 |
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. |
Affected by 23 other vulnerabilities. |
|
VCID-uk1w-hehw-dyda
Aliases: CVE-2016-9013 GHSA-mv8g-fhh6-6267 PYSEC-2016-17 |
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. |
Affected by 14 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-ukxp-wqpr-t3by
Aliases: CVE-2016-2512 GHSA-pw27-w7w4-9qc7 PYSEC-2016-15 |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. |
Affected by 18 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-w2dv-u8h6-sbgs
Aliases: BIT-django-2020-7471 CVE-2020-7471 GHSA-hmr4-m2h5-33qx PYSEC-2020-35 |
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. |
Affected by 8 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-w4pr-k5nj-ckgy
Aliases: CVE-2025-57833 GHSA-6w2r-r2m5-xq5w |
Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
Affected by 14 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-x4ev-6zjm-sbe4
Aliases: CVE-2016-6186 GHSA-c8c8-9472-w52h PYSEC-2016-2 |
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. |
Affected by 17 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-x516-xwze-6ba3
Aliases: PYSEC-2019-86 |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) |
Affected by 9 other vulnerabilities. Affected by 27 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2dhb-9yue-33h7 | Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property. |
CVE-2015-2241
GHSA-6565-fg86-6jcx PYSEC-2015-8 |