Search for packages
| purl | pkg:pypi/django@4.2a1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-589h-ndhj-aaab
Aliases: BIT-2023-31047 BIT-django-2023-31047 CVE-2023-31047 GHSA-r3xc-prgr-mg9p PYSEC-0000-CVE-2023-31047 PYSEC-2023-61 |
Django bypasses validation when using one form field to upload multiple files |
Affected by 22 other vulnerabilities. |
|
VCID-dapt-wsva-ubfv
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-q4q6-yfng-aaag
Aliases: BIT-django-2024-27351 CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-rwqv-shhz-aaag
Aliases: BIT-django-2023-46695 CVE-2023-46695 GHSA-qmf9-6jqf-j8fq PYSEC-2023-222 |
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
Affected by 18 other vulnerabilities. |
|
VCID-spub-8snt-aaaq
Aliases: BIT-django-2023-43665 CVE-2023-43665 GHSA-h8gc-pgj2-vjm3 PYSEC-2023-226 |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Affected by 19 other vulnerabilities. |
|
VCID-ucbd-zk38-aaae
Aliases: BIT-2023-36053 BIT-django-2023-36053 CVE-2023-36053 GHSA-jh3w-4vvf-mjgr PYSEC-0000-CVE-2023-36053 PYSEC-2023-100 |
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. |
Affected by 21 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-c4jh-zr55-aaae | In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. |
BIT-2023-23969
BIT-django-2023-23969 CVE-2023-23969 GHSA-q2jf-h9jm-m7p4 PYSEC-0000-CVE-2023-23969 PYSEC-2023-12 |
| VCID-ucbd-zk38-aaae | In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. |
BIT-2023-36053
BIT-django-2023-36053 CVE-2023-36053 GHSA-jh3w-4vvf-mjgr PYSEC-0000-CVE-2023-36053 PYSEC-2023-100 |