6 matches found
SQL Injection in Django
A SQL injection issue was discovered in QuerySet.explain in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary with dictionary expansion as the options argument, and placing the injection payload in an option name...
DEBIAN-CVE-2021-45452
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it...
PT-2021-4594 · Django +4 · Django +4
Name of the Vulnerable Software and Affected Versions: Django versions 2.2 before 2.2.20 Django versions 3.0 before 3.0.14 Django versions 3.1 before 3.1.8 Description: The issue is related to the MultiPartParser component in Django, which has a directory path restriction flaw. This flaw can be...
GHSA-WPJR-J57X-WXFW Data leakage via cache key collision in Django
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage...
PYSEC-2019-11
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars and words methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability i...
PYSEC-2019-9
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...