Search for packages
| purl | pkg:pypi/django@1.8c1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ay6-j864-aaaq
Aliases: BIT-django-2022-36359 CVE-2022-36359 GHSA-8x94-hmjh-97hq PYSEC-2022-245 |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-2rmr-7q84-aaas
Aliases: CVE-2015-5145 GHSA-cqf7-ff9h-7967 PYSEC-2015-21 |
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-3gge-bre2-aaac
Aliases: BIT-django-2024-24680 CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28 |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
Affected by 2 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-482k-kc8y-aaas
Aliases: CVE-2015-5143 GHSA-h582-2pch-3xv3 PYSEC-2015-20 |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. |
Affected by 24 other vulnerabilities. |
|
VCID-7n48-35un-aaaj
Aliases: CVE-2016-2513 GHSA-fp6p-5xvw-m74f PYSEC-2016-16 |
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-93tt-u75s-aaab
Aliases: BIT-2021-44420 BIT-django-2021-44420 CVE-2021-44420 GHSA-v6rh-hp5x-86rv PYSEC-2021-439 |
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. |
Affected by 11 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-an9k-wmax-aaam
Aliases: BIT-2021-33203 BIT-django-2021-33203 CVE-2021-33203 GHSA-68w8-qjq3-2gfm PYSEC-2021-98 |
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. |
Affected by 12 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-c4q6-kpvv-aaar
Aliases: CVE-2015-5144 GHSA-q5qw-4364-5hhm PYSEC-2015-10 |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. |
Affected by 24 other vulnerabilities. |
|
VCID-dapt-wsva-ubfv
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ean7-wkmd-aaac
Aliases: CVE-2018-7536 GHSA-r28v-mw67-m5p9 PYSEC-2018-5 |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. |
Affected by 11 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-ftvc-fkjc-aaaa
Aliases: CVE-2016-6186 GHSA-c8c8-9472-w52h PYSEC-2016-2 |
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. |
Affected by 18 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-g3n7-gan2-aaap
Aliases: CVE-2015-8213 GHSA-6wcr-wcqm-3mfh PYSEC-2015-11 |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. |
Affected by 21 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-hbqw-6pkz-aaaj
Aliases: GMS-2015-21 |
Denial-of-service possibility in logout() view by filling session store A session can be created when anonymously accessing the `django.contrib.auth.views.logout` view (provided it wasn't decorated with `django.contrib.auth.decorators.login_required` as done in the admin). This allows an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted. |
Affected by 22 other vulnerabilities. |
|
VCID-jefu-dz7u-aaac
Aliases: CVE-2019-6975 GHSA-wh4h-v3f2-r2pp PYSEC-2019-18 PYSEC-2019-88 |
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-mc9t-adza-aaak
Aliases: CVE-2017-7233 GHSA-37hp-765x-j95x PYSEC-2017-9 |
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. |
Affected by 13 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-megv-8jp3-aaas
Aliases: CVE-2015-3982 GHSA-6wgp-fwfm-mxp3 PYSEC-2015-19 |
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. |
Affected by 27 other vulnerabilities. |
|
VCID-n4jb-683r-aaar
Aliases: CVE-2016-9013 GHSA-mv8g-fhh6-6267 PYSEC-2016-17 |
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-pm6s-x7r5-aaak
Aliases: CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16 PYSEC-2019-86 |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) |
Affected by 8 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-q4q6-yfng-aaag
Aliases: BIT-django-2024-27351 CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
Affected by 1 other vulnerability. Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-r4bp-3zs8-aaag
Aliases: CVE-2019-3498 GHSA-337x-4q8g-prc5 PYSEC-2019-17 PYSEC-2019-87 |
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. |
Affected by 16 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-shuh-ae95-aaah
Aliases: CVE-2016-9014 GHSA-3f2c-jm6v-cr35 PYSEC-2016-18 |
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-x5yz-7qtf-aaar
Aliases: BIT-2020-9402 BIT-django-2020-9402 CVE-2020-9402 GHSA-3gh2-xw74-jmcw PYSEC-2020-36 |
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. |
Affected by 6 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-ywrp-89aa-aaaf
Aliases: CVE-2016-2512 GHSA-pw27-w7w4-9qc7 PYSEC-2016-15 |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. |
Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-yxyn-357b-aaad
Aliases: CVE-2016-7401 GHSA-crhm-qpjc-cm64 PYSEC-2016-3 |
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. |
Affected by 17 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-zh4q-8g5x-aaas
Aliases: BIT-2020-7471 BIT-django-2020-7471 CVE-2020-7471 GHSA-hmr4-m2h5-33qx PYSEC-2020-35 |
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. |
Affected by 7 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 17 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-p68k-ajnb-aaam | The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. |
CVE-2015-2317
GHSA-7fq8-4pv5-5w5c PYSEC-2015-9 |
| VCID-tq1h-pt67-aaaj | The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. |
CVE-2015-2316
GHSA-j3j3-jrfh-cm2w PYSEC-2015-18 |