Search for packages
| purl | pkg:pypi/django@1.4.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1zka-nz8a-aaab
Aliases: CVE-2014-3730 GHSA-vq3h-3q7v-9prw PYSEC-2014-20 |
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." |
Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3d5b-vwf4-aaad
Aliases: CVE-2015-5964 GHSA-x38m-486c-2wr9 PYSEC-2015-23 |
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. |
Affected by 20 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-5cec-8tk7-aaas
Aliases: CVE-2013-1665 GHSA-x64m-686f-fmm3 |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack. |
Affected by 44 other vulnerabilities. |
|
VCID-a6xe-py95-aaab
Aliases: CVE-2013-6044 GHSA-9cwg-mhxf-hh59 PYSEC-2013-21 |
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. |
Affected by 42 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-a8bk-83zt-aaar
Aliases: CVE-2012-3443 GHSA-59w8-4wm2-4xw8 PYSEC-2012-3 |
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. |
Affected by 49 other vulnerabilities. |
|
VCID-cw41-fuky-aaak
Aliases: CVE-2014-1418 GHSA-q7q2-qf2q-rw3w PYSEC-2014-19 |
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. |
Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j2zf-12g6-aaag
Aliases: CVE-2015-5963 GHSA-pgxh-wfw4-jx2v PYSEC-2015-22 |
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. |
Affected by 20 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-kd5p-kces-aaaq
Aliases: CVE-2013-1443 GHSA-4c42-4rxm-x6qf PYSEC-2013-18 |
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. |
Affected by 40 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-qze9-hqke-aaaj
Aliases: CVE-2013-1664 GHSA-qrh7-x6fp-c2mp |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. |
Affected by 44 other vulnerabilities. |
|
VCID-sk2m-nk8j-aaam
Aliases: CVE-2013-0306 GHSA-g8xg-jgj6-49r3 PYSEC-2013-17 |
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. |
Affected by 44 other vulnerabilities. |
|
VCID-z6dt-rqp1-aaaj
Aliases: CVE-2013-0305 GHSA-r7w6-p47g-vj53 PYSEC-2013-16 |
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. |
Affected by 44 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||