6 matches found
CVE-2009-2659
CVE-2009-2659 affects the Django Admin media handler in core/servers/basehttp.py for Django 1.0 and 0.96. The vulnerability arises from improper mapping of URL requests to static media files, enabling directory traversal and reading arbitrary files via a crafted URL. Descriptions in connected rec...
CVE-2007-5712
The CVE-2007-5712 issue affects Django’s i18n framework (versions 0.91, 0.95, 0.95.1, 0.96) and is also observed when used in PyLucid. The vulnerability allows remote attackers to induce memory consumption (DoS) by sending many HTTP requests with large Accept-Language headers. Public docs record ...
CVE-2008-2302
The CVE-2008-2302 issue is a cross-site scripting (XSS) vulnerability in Django’s admin login form. Affected products/versions: Django 0.91 before 0.91.2, Django 0.95 before 0.95.3, and Django 0.96 before 0.96.2. The vulnerability allows remote attackers to inject arbitrary script/HTML via the UR...
CVE-2007-0405
CVE-2007-0405 affects Django 0.95: the LazyUser class in AuthenticationMiddleware does not properly cache the username across requests, allowing remote authenticated users to gain the privileges of a different user. Impact and exploit details are not provided beyond this description in the suppli...
CVE-2007-0404
CVE-2007-0404 affects Django 0.95. The vulnerability lies in bin/compile-messages.py, which invokes msgfmt via os.system without quoting argument strings, allowing an attacker to inject shell metacharacters via a (1) .po or (2) .mo file and execute arbitrary commands. The underlying cause is unsa...
CVE-2007-5828
Cross-site request forgery (CSRF) vulnerability in Django 0.96 is exposed in the admin panel, allowing remote attackers to change passwords via a request to admin/auth/user/1/password/. The issue stems from the default configuration not enabling the CSRF protection module, though Debian notes thi...