Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Djangoproject Subscribe
Filtered by product Django
Total 97 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-14574 3 Canonical, Debian, Djangoproject 3 Ubuntu Linux, Debian Linux, Django 2019-03-01 5.8 MEDIUM 6.1 MEDIUM
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
CVE-2018-7537 3 Canonical, Debian, Djangoproject 3 Ubuntu Linux, Debian Linux, Django 2019-02-28 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
CVE-2015-2316 5 Canonical, Djangoproject, Fedoraproject and 2 more 5 Ubuntu Linux, Django, Fedora and 2 more 2018-10-30 5.0 MEDIUM N/A
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
CVE-2014-3730 4 Canonical, Debian, Djangoproject and 1 more 4 Ubuntu Linux, Debian Linux, Django and 1 more 2018-10-30 4.3 MEDIUM N/A
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
CVE-2014-0480 2 Djangoproject, Opensuse 2 Django, Opensuse 2018-10-30 5.8 MEDIUM N/A
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
CVE-2015-2317 6 Canonical, Debian, Djangoproject and 3 more 6 Ubuntu Linux, Debian Linux, Django and 3 more 2018-10-30 4.3 MEDIUM N/A
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
CVE-2014-0483 2 Djangoproject, Opensuse 2 Django, Opensuse 2018-10-30 3.5 LOW N/A
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
CVE-2014-0482 2 Djangoproject, Opensuse 2 Django, Opensuse 2018-10-30 6.0 MEDIUM N/A
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
CVE-2014-0481 4 Debian, Djangoproject, Opensuse and 1 more 4 Debian Linux, Django, Opensuse and 1 more 2018-10-30 4.3 MEDIUM N/A
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.
CVE-2017-7233 1 Djangoproject 1 Django 2018-10-17 5.8 MEDIUM 6.1 MEDIUM
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
CVE-2016-6186 2 Debian, Djangoproject 2 Debian Linux, Django 2018-10-09 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
CVE-2017-12794 1 Djangoproject 1 Django 2018-03-15 4.3 MEDIUM 6.1 MEDIUM
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
CVE-2011-4140 1 Djangoproject 1 Django 2018-01-17 6.8 MEDIUM N/A
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE-2011-4136 1 Djangoproject 1 Django 2018-01-17 5.8 MEDIUM N/A
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE-2011-4139 1 Djangoproject 1 Django 2018-01-17 5.0 MEDIUM N/A
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
CVE-2011-4137 1 Djangoproject 1 Django 2018-01-17 5.0 MEDIUM N/A
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE-2011-4138 1 Djangoproject 1 Django 2018-01-17 5.0 MEDIUM N/A
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
CVE-2016-7401 3 Canonical, Debian, Djangoproject 3 Ubuntu Linux, Debian Linux, Django 2018-01-04 5.0 MEDIUM 7.5 HIGH
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
CVE-2013-6044 1 Djangoproject 1 Django 2017-11-16 4.3 MEDIUM N/A
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
CVE-2016-9014 3 Canonical, Djangoproject, Fedoraproject 3 Ubuntu Linux, Django, Fedora 2017-11-03 6.8 MEDIUM 8.1 HIGH
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.