Search for packages
| purl | pkg:pypi/django@2.1.15 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ay6-j864-aaaq
Aliases: BIT-django-2022-36359 CVE-2022-36359 GHSA-8x94-hmjh-97hq PYSEC-2022-245 |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-3gge-bre2-aaac
Aliases: BIT-django-2024-24680 CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28 |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
Affected by 2 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-7dtn-w6bf-aaab
Aliases: BIT-2020-13254 BIT-django-2020-13254 CVE-2020-13254 GHSA-wpjr-j57x-wxfw PYSEC-2020-31 |
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. |
Affected by 21 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-93tt-u75s-aaab
Aliases: BIT-2021-44420 BIT-django-2021-44420 CVE-2021-44420 GHSA-v6rh-hp5x-86rv PYSEC-2021-439 |
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. |
Affected by 11 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-an9k-wmax-aaam
Aliases: BIT-2021-33203 BIT-django-2021-33203 CVE-2021-33203 GHSA-68w8-qjq3-2gfm PYSEC-2021-98 |
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. |
Affected by 12 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-dapt-wsva-ubfv
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pm6s-x7r5-aaak
Aliases: CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16 PYSEC-2019-86 |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) |
Affected by 25 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-q4q6-yfng-aaag
Aliases: BIT-django-2024-27351 CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
Affected by 1 other vulnerability. Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-x5yz-7qtf-aaar
Aliases: BIT-2020-9402 BIT-django-2020-9402 CVE-2020-9402 GHSA-3gh2-xw74-jmcw PYSEC-2020-36 |
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. |
Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-zh4q-8g5x-aaas
Aliases: BIT-2020-7471 BIT-django-2020-7471 CVE-2020-7471 GHSA-hmr4-m2h5-33qx PYSEC-2020-35 |
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. |
Affected by 24 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-zrah-xa2u-aaan
Aliases: BIT-2020-13596 BIT-django-2020-13596 CVE-2020-13596 GHSA-2m34-jcjv-45xf PYSEC-2020-32 |
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. |
Affected by 21 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-qs2z-b4r2-aaac | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) |
CVE-2019-19118
GHSA-hvmf-r92r-27hr PYSEC-2019-15 PYSEC-2019-85 |