Lucene search

K
DjangoprojectDjango

120 matches found

CVE
CVE
added 2021/04/06 3:15 p.m.152 views

CVE-2021-28658

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

5.3CVSS5.5AI score0.01948EPSS
CVE
CVE
added 2020/06/03 2:15 p.m.146 views

CVE-2020-13254

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

5.9CVSS5.9AI score0.10756EPSS
CVE
CVE
added 2022/01/05 12:15 a.m.143 views

CVE-2021-45116

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suit...

7.5CVSS7.1AI score0.00242EPSS
CVE
CVE
added 2015/07/14 5:59 p.m.139 views

CVE-2015-5143

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

7.8CVSS6.3AI score0.04798EPSS
CVE
CVE
added 2019/01/09 11:29 p.m.137 views

CVE-2019-3498

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recogniz...

6.5CVSS6.2AI score0.01523EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.136 views

CVE-2024-41989

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

7.5CVSS6.8AI score0.00173EPSS
CVE
CVE
added 2017/04/04 5:59 p.m.132 views

CVE-2017-7234

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve() view could redirect to any other domain, aka an open redirect vulnerability.

6.1CVSS6.1AI score0.00422EPSS
CVE
CVE
added 2020/09/01 1:15 p.m.132 views

CVE-2020-24583

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level ...

7.5CVSS7.3AI score0.02402EPSS
CVE
CVE
added 2020/09/01 1:15 p.m.132 views

CVE-2020-24584

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

7.5CVSS7.3AI score0.01356EPSS
CVE
CVE
added 2020/06/03 2:15 p.m.130 views

CVE-2020-13596

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

6.1CVSS5.9AI score0.01231EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.130 views

CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

9.8CVSS7.8AI score0.00285EPSS
CVE
CVE
added 2025/05/08 4:17 a.m.130 views

CVE-2025-32873

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter s...

7.5CVSS5.1AI score0.00025EPSS
CVE
CVE
added 2022/08/03 2:15 p.m.121 views

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

8.8CVSS8.3AI score0.00406EPSS
CVE
CVE
added 2018/10/02 6:29 p.m.116 views

CVE-2018-16984

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1)...

4.9CVSS5.2AI score0.01108EPSS
CVE
CVE
added 2011/02/14 9:0 p.m.115 views

CVE-2011-0697

Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.

4.3CVSS5.4AI score0.02962EPSS
CVE
CVE
added 2024/10/08 4:15 p.m.114 views

CVE-2024-45230

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

7.5CVSS6.9AI score0.00139EPSS
CVE
CVE
added 2018/02/05 3:29 a.m.113 views

CVE-2018-6188

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.

7.5CVSS7.1AI score0.0074EPSS
CVE
CVE
added 2010/09/14 7:0 p.m.112 views

CVE-2010-3082

Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.

4.3CVSS5.4AI score0.00407EPSS
CVE
CVE
added 2011/02/14 9:0 p.m.112 views

CVE-2011-0696

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins...

6.8CVSS6.6AI score0.0275EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.110 views

CVE-2011-4136

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session...

5.8CVSS6.3AI score0.01022EPSS
CVE
CVE
added 2016/04/08 3:59 p.m.110 views

CVE-2016-2512

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http:...

7.4CVSS7AI score0.00458EPSS
CVE
CVE
added 2025/06/05 3:15 a.m.107 views

CVE-2025-48432

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are vie...

4CVSS4.7AI score0.00033EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.106 views

CVE-2011-4140

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page c...

6.8CVSS6.7AI score0.004EPSS
CVE
CVE
added 2011/02/14 9:0 p.m.102 views

CVE-2011-0698

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.

7.5CVSS6.7AI score0.00719EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.102 views

CVE-2014-0474

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, re...

10CVSS6.7AI score0.06294EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.101 views

CVE-2011-4137

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated wit...

5CVSS7.5AI score0.02608EPSS
CVE
CVE
added 2015/07/14 5:59 p.m.98 views

CVE-2015-5144

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a ...

4.3CVSS6.5AI score0.01493EPSS
CVE
CVE
added 2019/12/02 2:15 p.m.98 views

CVE-2019-19118

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, f...

6.5CVSS6.3AI score0.00293EPSS
CVE
CVE
added 2011/01/10 8:0 p.m.95 views

CVE-2010-4534

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series o...

4CVSS5.5AI score0.00553EPSS
CVE
CVE
added 2011/01/10 8:0 p.m.95 views

CVE-2010-4535

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that ...

5CVSS6.5AI score0.04746EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.94 views

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

7.5CVSS6.8AI score0.00173EPSS
CVE
CVE
added 2015/08/24 2:59 p.m.92 views

CVE-2015-5963

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth...

5CVSS6.4AI score0.08126EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.91 views

CVE-2014-0482

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relat...

6CVSS5.9AI score0.00711EPSS
CVE
CVE
added 2016/04/08 3:59 p.m.91 views

CVE-2016-2513

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

3.1CVSS5.3AI score0.01086EPSS
CVE
CVE
added 2013/09/23 8:55 p.m.88 views

CVE-2013-1443

The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.

5CVSS6.6AI score0.01174EPSS
CVE
CVE
added 2012/07/31 5:55 p.m.87 views

CVE-2012-3442

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

4.3CVSS5.4AI score0.00442EPSS
CVE
CVE
added 2013/05/02 2:55 p.m.86 views

CVE-2013-0305

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

4CVSS6AI score0.00209EPSS
CVE
CVE
added 2013/05/02 2:55 p.m.86 views

CVE-2013-0306

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.

5CVSS6.5AI score0.00562EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.86 views

CVE-2015-0219

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

5CVSS6.3AI score0.03722EPSS
CVE
CVE
added 2015/03/25 2:59 p.m.86 views

CVE-2015-2317

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x0...

4.3CVSS5.5AI score0.01493EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.85 views

CVE-2011-4138

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrar...

5CVSS6.5AI score0.00755EPSS
CVE
CVE
added 2015/08/24 2:59 p.m.85 views

CVE-2015-5964

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session ...

5CVSS6.5AI score0.07512EPSS
CVE
CVE
added 2015/12/07 8:59 p.m.85 views

CVE-2015-8213

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

5CVSS6.1AI score0.02962EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.84 views

CVE-2014-0483

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field...

3.5CVSS5.5AI score0.00428EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.84 views

CVE-2015-0221

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

5CVSS6.2AI score0.08824EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.83 views

CVE-2011-4139

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

5CVSS6.3AI score0.00567EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.82 views

CVE-2014-0472

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

5.1CVSS7AI score0.06894EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.82 views

CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

7.5CVSS6.8AI score0.00164EPSS
CVE
CVE
added 2012/11/18 11:55 p.m.81 views

CVE-2012-4520

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

6.4CVSS6.6AI score0.04443EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.81 views

CVE-2015-0220

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a ...

4.3CVSS5.3AI score0.02316EPSS
Total number of security vulnerabilities120