Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Djangoproject Subscribe
Total 100 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-24580 2 Debian, Djangoproject 2 Debian Linux, Django 2023-03-16 N/A 7.5 HIGH
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
CVE-2022-41323 1 Djangoproject 1 Django 2023-03-10 N/A 7.5 HIGH
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
CVE-2023-23969 2 Debian, Djangoproject 2 Debian Linux, Django 2023-03-02 N/A 7.5 HIGH
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
CVE-2022-28347 2 Debian, Djangoproject 2 Debian Linux, Django 2022-11-07 7.5 HIGH 9.8 CRITICAL
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
CVE-2022-28346 2 Debian, Djangoproject 2 Debian Linux, Django 2022-11-07 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-23833 3 Debian, Djangoproject, Fedoraproject 3 Debian Linux, Django, Fedora 2022-11-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818 3 Debian, Djangoproject, Fedoraproject 3 Debian Linux, Django, Fedora 2022-11-07 4.3 MEDIUM 6.1 MEDIUM
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-34265 1 Djangoproject 1 Django 2022-10-26 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-36359 1 Djangoproject 1 Django 2022-10-15 N/A 8.8 HIGH
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
CVE-2020-9402 5 Canonical, Debian, Djangoproject and 2 more 5 Ubuntu Linux, Debian Linux, Django and 2 more 2022-10-07 6.5 MEDIUM 8.8 HIGH
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
CVE-2020-24584 4 Canonical, Djangoproject, Fedoraproject and 1 more 4 Ubuntu Linux, Django, Fedora and 1 more 2022-10-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
CVE-2020-24583 4 Canonical, Djangoproject, Fedoraproject and 1 more 4 Ubuntu Linux, Django, Fedora and 1 more 2022-10-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
CVE-2020-13254 6 Canonical, Debian, Djangoproject and 3 more 7 Ubuntu Linux, Debian Linux, Django and 4 more 2022-09-02 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2020-13596 6 Canonical, Debian, Djangoproject and 3 more 7 Ubuntu Linux, Debian Linux, Django and 4 more 2022-09-02 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
CVE-2021-45115 2 Djangoproject, Fedoraproject 2 Django, Fedora 2022-07-12 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
CVE-2021-44420 5 Canonical, Debian, Djangoproject and 2 more 5 Ubuntu Linux, Debian Linux, Django and 2 more 2022-07-12 7.5 HIGH 7.3 HIGH
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
CVE-2021-23336 6 Debian, Djangoproject, Fedoraproject and 3 more 12 Debian Linux, Django, Fedora and 9 more 2022-03-04 4.0 MEDIUM 5.9 MEDIUM
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVE-2021-33203 2 Djangoproject, Fedoraproject 2 Django, Fedora 2022-02-25 4.0 MEDIUM 4.9 MEDIUM
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
CVE-2021-31542 3 Debian, Djangoproject, Fedoraproject 3 Debian Linux, Django, Fedora 2022-02-25 5.0 MEDIUM 7.5 HIGH
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-33571 2 Djangoproject, Fedoraproject 2 Django, Fedora 2022-02-22 5.0 MEDIUM 7.5 HIGH
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .