Search for packages
| purl | pkg:pypi/django@1.2.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-188m-1bke-aaae
Aliases: CVE-2010-4534 GHSA-fwr5-q9rx-294f PYSEC-2011-8 |
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. |
Affected by 45 other vulnerabilities. |
|
VCID-97zd-8qnf-aaak
Aliases: CVE-2011-0698 GHSA-7g9h-c88w-r7h2 PYSEC-2011-12 |
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. |
Affected by 42 other vulnerabilities. |
|
VCID-9a6w-tyy9-aaak
Aliases: CVE-2010-4535 GHSA-7wph-fc4w-wqp2 PYSEC-2011-9 |
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. |
Affected by 45 other vulnerabilities. |
|
VCID-f5ba-32u6-aaam
Aliases: CVE-2011-4137 GHSA-3jqw-crqj-w8qw PYSEC-2011-2 |
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521. |
Affected by 38 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-n45x-dafe-aaam
Aliases: CVE-2011-0696 GHSA-5j2h-h5hg-3wf8 PYSEC-2011-10 |
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447. |
Affected by 42 other vulnerabilities. |
|
VCID-py22-6k57-aaad
Aliases: CVE-2010-3082 GHSA-fxpg-gg9g-76gj PYSEC-2010-12 |
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. |
Affected by 47 other vulnerabilities. |
|
VCID-qyf9-fxzc-aaad
Aliases: CVE-2011-4136 GHSA-x88j-93vc-wpmp PYSEC-2011-1 |
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. |
Affected by 38 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-uvku-wexv-aaak
Aliases: CVE-2011-0697 GHSA-8m3r-rv5g-fcpq PYSEC-2011-11 |
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. |
Affected by 42 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||