Search for packages
| purl | pkg:pypi/django@1.3.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1cws-jqeh-aaaj
Aliases: CVE-2011-4140 GHSA-h95j-h2rv-qrg4 PYSEC-2011-5 |
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code. |
Affected by 43 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-5cec-8tk7-aaas
Aliases: CVE-2013-1665 GHSA-x64m-686f-fmm3 |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack. |
Affected by 34 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-bs2a-sg2y-aaap
Aliases: CVE-2011-4139 GHSA-rm2j-x595-q9cj PYSEC-2011-4 |
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request. |
Affected by 43 other vulnerabilities. |
|
VCID-f5ba-32u6-aaam
Aliases: CVE-2011-4137 GHSA-3jqw-crqj-w8qw PYSEC-2011-2 |
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521. |
Affected by 43 other vulnerabilities. |
|
VCID-qyf9-fxzc-aaad
Aliases: CVE-2011-4136 GHSA-x88j-93vc-wpmp PYSEC-2011-1 |
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. |
Affected by 43 other vulnerabilities. |
|
VCID-qze9-hqke-aaaj
Aliases: CVE-2013-1664 GHSA-qrh7-x6fp-c2mp |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. |
Affected by 34 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-sk2m-nk8j-aaam
Aliases: CVE-2013-0306 GHSA-g8xg-jgj6-49r3 PYSEC-2013-17 |
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. |
Affected by 34 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-z6dt-rqp1-aaaj
Aliases: CVE-2013-0305 GHSA-r7w6-p47g-vj53 PYSEC-2013-16 |
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. |
Affected by 34 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-zkx7-8zue-aaan
Aliases: CVE-2011-4138 GHSA-wxg3-mfph-qg9w PYSEC-2011-3 |
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header. |
Affected by 43 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||