Search for packages
| purl | pkg:pypi/django@2.2.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2w9q-sann-aaak
Aliases: CVE-2019-14232 GHSA-c4qh-4vgv-qc6g PYSEC-2019-11 PYSEC-2019-81 |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. |
Affected by 27 other vulnerabilities. |
|
VCID-3sj8-9xug-aaap
Aliases: CVE-2019-12781 GHSA-6c7v-2f49-8h26 PYSEC-2019-10 PYSEC-2019-80 |
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. |
Affected by 31 other vulnerabilities. |
|
VCID-d9pc-5fer-aaak
Aliases: CVE-2019-14233 GHSA-h5jv-4p7w-64jg PYSEC-2019-12 PYSEC-2019-82 |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. |
Affected by 27 other vulnerabilities. |
|
VCID-he7b-33hj-aaab
Aliases: BIT-2021-33571 BIT-django-2021-33571 CVE-2021-33571 GHSA-p99v-5w3c-jqq9 PYSEC-2021-99 |
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) . |
Affected by 12 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-n8u8-pmvh-aaam
Aliases: BIT-2022-22818 BIT-django-2022-22818 CVE-2022-22818 GHSA-95rw-fx8r-36v6 PYSEC-2022-19 |
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. |
Affected by 6 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-ngaz-arbj-aaap
Aliases: BIT-2022-23833 BIT-django-2022-23833 CVE-2022-23833 GHSA-6cw3-g6wv-c2xv PYSEC-2022-20 |
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. |
Affected by 6 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-p7gc-mdwj-aaaj
Aliases: BIT-2021-45116 BIT-django-2021-45116 CVE-2021-45116 GHSA-8c5j-9r9f-c6w8 PYSEC-2022-2 |
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. |
Affected by 8 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-p9fj-m9t4-aaas
Aliases: BIT-2021-32052 BIT-django-2021-32052 CVE-2021-32052 GHSA-qm57-vhq3-3fwf PYSEC-2021-8 |
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. |
Affected by 14 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-pyaf-bv24-aaah
Aliases: CVE-2019-14234 GHSA-6r97-cj55-9hrq PYSEC-2019-13 PYSEC-2019-83 |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. |
Affected by 27 other vulnerabilities. |
|
VCID-q58w-h5mb-aaaj
Aliases: CVE-2019-14235 GHSA-v9qg-3j8p-r63v PYSEC-2019-14 PYSEC-2019-84 |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. |
Affected by 27 other vulnerabilities. |
|
VCID-qs2z-b4r2-aaac
Aliases: CVE-2019-19118 GHSA-hvmf-r92r-27hr PYSEC-2019-15 PYSEC-2019-85 |
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) |
Affected by 26 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-r32d-wxg1-aaap
Aliases: BIT-2021-31542 BIT-django-2021-31542 CVE-2021-31542 GHSA-rxjp-mfm9-w4wr PYSEC-2021-7 |
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. |
Affected by 15 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-vytm-ev3f-aaac
Aliases: BIT-2021-45115 BIT-django-2021-45115 CVE-2021-45115 GHSA-53qw-q765-4fww PYSEC-2022-1 |
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. |
Affected by 8 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-wtpw-b4cs-aaaf
Aliases: CVE-2019-12308 GHSA-7rp2-fm2h-wchj PYSEC-2019-79 PYSEC-2019-9 |
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. |
Affected by 32 other vulnerabilities. |
|
VCID-x5yz-7qtf-aaar
Aliases: BIT-2020-9402 BIT-django-2020-9402 CVE-2020-9402 GHSA-3gh2-xw74-jmcw PYSEC-2020-36 |
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. |
Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-yx8w-bmpf-aaaa
Aliases: BIT-2021-45452 BIT-django-2021-45452 CVE-2021-45452 GHSA-jrh2-hc4r-7jwx PYSEC-2022-3 |
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. |
Affected by 8 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-03-29T10:46:52.087489+00:00 | GHSA Importer | Affected by | VCID-ngaz-arbj-aaap | None | 36.0.0 |
| 2025-03-28T20:03:45.828062+00:00 | GHSA Importer | Affected by | VCID-qs2z-b4r2-aaac | None | 36.0.0 |
| 2025-03-28T20:03:33.710809+00:00 | GHSA Importer | Affected by | VCID-q58w-h5mb-aaaj | None | 36.0.0 |
| 2025-03-28T20:03:33.558174+00:00 | GHSA Importer | Affected by | VCID-pyaf-bv24-aaah | None | 36.0.0 |
| 2025-03-28T20:03:33.461888+00:00 | GHSA Importer | Affected by | VCID-d9pc-5fer-aaak | None | 36.0.0 |
| 2025-03-28T20:03:33.333597+00:00 | GHSA Importer | Affected by | VCID-2w9q-sann-aaak | None | 36.0.0 |
| 2025-03-28T20:03:32.099402+00:00 | GHSA Importer | Affected by | VCID-3sj8-9xug-aaap | None | 36.0.0 |
| 2025-03-28T20:03:29.338651+00:00 | GHSA Importer | Affected by | VCID-wtpw-b4cs-aaaf | None | 36.0.0 |
| 2025-01-17T02:40:25.529880+00:00 | GHSA Importer | Affected by | VCID-n8u8-pmvh-aaam | None | 35.1.0 |
| 2025-01-17T02:40:02.373930+00:00 | GHSA Importer | Affected by | VCID-yx8w-bmpf-aaaa | None | 35.1.0 |
| 2025-01-17T02:40:02.020301+00:00 | GHSA Importer | Affected by | VCID-p7gc-mdwj-aaaj | None | 35.1.0 |
| 2025-01-17T02:40:01.984593+00:00 | GHSA Importer | Affected by | VCID-vytm-ev3f-aaac | None | 35.1.0 |
| 2025-01-17T02:38:56.211059+00:00 | GHSA Importer | Affected by | VCID-he7b-33hj-aaab | None | 35.1.0 |
| 2025-01-17T02:38:49.243281+00:00 | GHSA Importer | Affected by | VCID-p9fj-m9t4-aaas | None | 35.1.0 |
| 2025-01-17T02:38:47.767152+00:00 | GHSA Importer | Affected by | VCID-r32d-wxg1-aaap | None | 35.1.0 |
| 2024-09-17T22:17:00.166047+00:00 | GHSA Importer | Affected by | VCID-q58w-h5mb-aaaj | https://github.com/advisories/GHSA-v9qg-3j8p-r63v | 34.0.1 |
| 2024-09-17T22:16:01.392406+00:00 | GHSA Importer | Affected by | VCID-p9fj-m9t4-aaas | https://github.com/advisories/GHSA-qm57-vhq3-3fwf | 34.0.1 |
| 2024-09-17T22:14:04.456597+00:00 | GHSA Importer | Affected by | VCID-p7gc-mdwj-aaaj | https://github.com/advisories/GHSA-8c5j-9r9f-c6w8 | 34.0.1 |
| 2024-09-17T22:13:47.981515+00:00 | GHSA Importer | Affected by | VCID-3sj8-9xug-aaap | https://github.com/advisories/GHSA-6c7v-2f49-8h26 | 34.0.1 |
| 2024-09-17T22:13:47.823999+00:00 | GHSA Importer | Affected by | VCID-2w9q-sann-aaak | https://github.com/advisories/GHSA-c4qh-4vgv-qc6g | 34.0.1 |
| 2024-09-17T22:13:47.688105+00:00 | GHSA Importer | Affected by | VCID-d9pc-5fer-aaak | https://github.com/advisories/GHSA-h5jv-4p7w-64jg | 34.0.1 |
| 2024-09-17T22:13:47.573048+00:00 | GHSA Importer | Affected by | VCID-wtpw-b4cs-aaaf | https://github.com/advisories/GHSA-7rp2-fm2h-wchj | 34.0.1 |
| 2024-09-17T22:13:47.533165+00:00 | GHSA Importer | Affected by | VCID-he7b-33hj-aaab | https://github.com/advisories/GHSA-p99v-5w3c-jqq9 | 34.0.1 |
| 2024-09-17T22:13:44.746222+00:00 | GHSA Importer | Affected by | VCID-vytm-ev3f-aaac | https://github.com/advisories/GHSA-53qw-q765-4fww | 34.0.1 |
| 2024-09-17T22:13:44.072345+00:00 | GHSA Importer | Affected by | VCID-pyaf-bv24-aaah | https://github.com/advisories/GHSA-6r97-cj55-9hrq | 34.0.1 |
| 2024-09-17T22:13:37.492444+00:00 | GHSA Importer | Affected by | VCID-r32d-wxg1-aaap | https://github.com/advisories/GHSA-rxjp-mfm9-w4wr | 34.0.1 |
| 2024-09-17T22:13:16.473606+00:00 | GHSA Importer | Affected by | VCID-qs2z-b4r2-aaac | https://github.com/advisories/GHSA-hvmf-r92r-27hr | 34.0.1 |
| 2024-09-17T22:13:13.599154+00:00 | GHSA Importer | Affected by | VCID-x5yz-7qtf-aaar | https://github.com/advisories/GHSA-3gh2-xw74-jmcw | 34.0.1 |
| 2024-05-01T21:17:25.477156+00:00 | GHSA Importer | Affected by | VCID-2w9q-sann-aaak | https://github.com/advisories/GHSA-c4qh-4vgv-qc6g | 34.0.0rc4 |
| 2024-04-23T17:41:28.988921+00:00 | GHSA Importer | Affected by | VCID-wtpw-b4cs-aaaf | https://github.com/advisories/GHSA-7rp2-fm2h-wchj | 34.0.0rc4 |
| 2024-04-23T17:41:28.413734+00:00 | GHSA Importer | Affected by | VCID-vytm-ev3f-aaac | https://github.com/advisories/GHSA-53qw-q765-4fww | 34.0.0rc4 |
| 2024-04-23T17:41:27.721729+00:00 | GHSA Importer | Affected by | VCID-r32d-wxg1-aaap | https://github.com/advisories/GHSA-rxjp-mfm9-w4wr | 34.0.0rc4 |
| 2024-04-23T17:41:21.688502+00:00 | GHSA Importer | Affected by | VCID-qs2z-b4r2-aaac | https://github.com/advisories/GHSA-hvmf-r92r-27hr | 34.0.0rc4 |
| 2024-04-23T17:41:18.538780+00:00 | GHSA Importer | Affected by | VCID-x5yz-7qtf-aaar | https://github.com/advisories/GHSA-3gh2-xw74-jmcw | 34.0.0rc4 |
| 2024-01-03T17:46:44.364397+00:00 | GHSA Importer | Affected by | VCID-q58w-h5mb-aaaj | https://github.com/advisories/GHSA-v9qg-3j8p-r63v | 34.0.0rc1 |
| 2024-01-03T17:46:44.028323+00:00 | GHSA Importer | Affected by | VCID-qs2z-b4r2-aaac | https://github.com/advisories/GHSA-hvmf-r92r-27hr | 34.0.0rc1 |
| 2024-01-03T17:45:57.502975+00:00 | GHSA Importer | Affected by | VCID-p9fj-m9t4-aaas | https://github.com/advisories/GHSA-qm57-vhq3-3fwf | 34.0.0rc1 |
| 2024-01-03T17:45:29.146988+00:00 | GHSA Importer | Affected by | VCID-yx8w-bmpf-aaaa | https://github.com/advisories/GHSA-jrh2-hc4r-7jwx | 34.0.0rc1 |
| 2024-01-03T17:44:13.766282+00:00 | GHSA Importer | Affected by | VCID-p7gc-mdwj-aaaj | https://github.com/advisories/GHSA-8c5j-9r9f-c6w8 | 34.0.0rc1 |
| 2024-01-03T17:43:58.147049+00:00 | GHSA Importer | Affected by | VCID-3sj8-9xug-aaap | https://github.com/advisories/GHSA-6c7v-2f49-8h26 | 34.0.0rc1 |
| 2024-01-03T17:43:57.984296+00:00 | GHSA Importer | Affected by | VCID-2w9q-sann-aaak | https://github.com/advisories/GHSA-c4qh-4vgv-qc6g | 34.0.0rc1 |
| 2024-01-03T17:43:57.831234+00:00 | GHSA Importer | Affected by | VCID-d9pc-5fer-aaak | https://github.com/advisories/GHSA-h5jv-4p7w-64jg | 34.0.0rc1 |
| 2024-01-03T17:43:57.709123+00:00 | GHSA Importer | Affected by | VCID-wtpw-b4cs-aaaf | https://github.com/advisories/GHSA-7rp2-fm2h-wchj | 34.0.0rc1 |
| 2024-01-03T17:43:57.671073+00:00 | GHSA Importer | Affected by | VCID-he7b-33hj-aaab | https://github.com/advisories/GHSA-p99v-5w3c-jqq9 | 34.0.0rc1 |
| 2024-01-03T17:43:57.339272+00:00 | GHSA Importer | Affected by | VCID-n8u8-pmvh-aaam | https://github.com/advisories/GHSA-95rw-fx8r-36v6 | 34.0.0rc1 |
| 2024-01-03T17:43:54.777783+00:00 | GHSA Importer | Affected by | VCID-vytm-ev3f-aaac | https://github.com/advisories/GHSA-53qw-q765-4fww | 34.0.0rc1 |
| 2024-01-03T17:43:54.195446+00:00 | GHSA Importer | Affected by | VCID-pyaf-bv24-aaah | https://github.com/advisories/GHSA-6r97-cj55-9hrq | 34.0.0rc1 |
| 2024-01-03T17:43:48.149968+00:00 | GHSA Importer | Affected by | VCID-r32d-wxg1-aaap | https://github.com/advisories/GHSA-rxjp-mfm9-w4wr | 34.0.0rc1 |
| 2024-01-03T17:43:47.974983+00:00 | GHSA Importer | Affected by | VCID-ngaz-arbj-aaap | https://github.com/advisories/GHSA-6cw3-g6wv-c2xv | 34.0.0rc1 |