Filtered by vendor Djangoproject
Subscribe
Total
100 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-0219 | 1 Djangoproject | 1 Django | 2016-12-21 | 5.0 MEDIUM | N/A |
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. | |||||
CVE-2015-0220 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2016-12-21 | 4.3 MEDIUM | N/A |
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. | |||||
CVE-2015-8213 | 1 Djangoproject | 1 Django | 2016-12-07 | 5.0 MEDIUM | N/A |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. | |||||
CVE-2015-3982 | 1 Djangoproject | 1 Django | 2016-12-05 | 5.0 MEDIUM | N/A |
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. | |||||
CVE-2015-2241 | 1 Djangoproject | 1 Django | 2016-12-02 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property. | |||||
CVE-2016-2048 | 1 Djangoproject | 1 Django | 2016-11-28 | 6.0 MEDIUM | 5.5 MEDIUM |
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission. | |||||
CVE-2011-4103 | 1 Djangoproject | 1 Piston | 2014-12-18 | 7.5 HIGH | N/A |
emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. | |||||
CVE-2013-1443 | 1 Djangoproject | 1 Django | 2014-01-27 | 5.0 MEDIUM | N/A |
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. | |||||
CVE-2013-4315 | 1 Djangoproject | 1 Django | 2013-12-09 | 5.0 MEDIUM | N/A |
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. | |||||
CVE-2013-0306 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2013-05-14 | 5.0 MEDIUM | N/A |
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. | |||||
CVE-2013-0305 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2013-05-14 | 4.0 MEDIUM | N/A |
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. | |||||
CVE-2012-4520 | 1 Djangoproject | 1 Django | 2013-05-03 | 6.4 MEDIUM | N/A |
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values. | |||||
CVE-2012-3444 | 1 Djangoproject | 1 Django | 2013-04-10 | 5.0 MEDIUM | N/A |
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. | |||||
CVE-2012-3443 | 1 Djangoproject | 1 Django | 2013-04-10 | 5.0 MEDIUM | N/A |
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. | |||||
CVE-2012-3442 | 1 Djangoproject | 1 Django | 2013-04-10 | 4.3 MEDIUM | N/A |
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. | |||||
CVE-2011-0697 | 1 Djangoproject | 1 Django | 2011-03-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. | |||||
CVE-2011-0696 | 1 Djangoproject | 1 Django | 2011-03-10 | 6.8 MEDIUM | N/A |
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447. | |||||
CVE-2011-0698 | 2 Djangoproject, Microsoft | 2 Django, Windows | 2011-02-22 | 7.5 HIGH | N/A |
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. | |||||
CVE-2010-4534 | 1 Djangoproject | 1 Django | 2011-01-19 | 4.0 MEDIUM | N/A |
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. | |||||
CVE-2010-4535 | 1 Djangoproject | 1 Django | 2011-01-19 | 5.0 MEDIUM | N/A |
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. |