Lucene search

K
DjangoprojectDjango

120 matches found

CVE
CVE
added 2014/05/16 3:55 p.m.80 views

CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.

6.4CVSS5.8AI score0.00512EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.80 views

CVE-2015-0222

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

5CVSS6.9AI score0.04573EPSS
CVE
CVE
added 2012/07/31 5:55 p.m.79 views

CVE-2012-3443

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

5CVSS6.2AI score0.01382EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.79 views

CVE-2014-0480

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL...

5.8CVSS6.2AI score0.00483EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.79 views

CVE-2014-0481

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a ...

4.3CVSS6.3AI score0.01487EPSS
CVE
CVE
added 2015/03/25 2:59 p.m.74 views

CVE-2015-2316

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

5CVSS6.4AI score0.01075EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.72 views

CVE-2014-0473

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

5CVSS6.4AI score0.00367EPSS
CVE
CVE
added 2015/03/12 2:59 p.m.72 views

CVE-2015-2241

Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.

4.3CVSS5.5AI score0.00257EPSS
CVE
CVE
added 2009/10/13 10:30 a.m.71 views

CVE-2009-3695

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regul...

5CVSS6.2AI score0.06201EPSS
CVE
CVE
added 2013/09/16 7:14 p.m.71 views

CVE-2013-4315

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.

5CVSS6.3AI score0.01162EPSS
CVE
CVE
added 2015/06/02 2:59 p.m.71 views

CVE-2015-3982

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

5CVSS6.5AI score0.00322EPSS
CVE
CVE
added 2012/07/31 5:55 p.m.68 views

CVE-2012-3444

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.

5CVSS6.3AI score0.0119EPSS
CVE
CVE
added 2014/05/16 3:55 p.m.68 views

CVE-2014-3730

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\djangoproject.com."

4.3CVSS6.3AI score0.00988EPSS
CVE
CVE
added 2015/07/14 5:59 p.m.65 views

CVE-2015-5145

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

7.8CVSS6.4AI score0.01936EPSS
CVE
CVE
added 2023/11/02 6:15 a.m.61 views

CVE-2023-46695

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of ...

7.5CVSS7.2AI score0.01977EPSS
CVE
CVE
added 2016/02/08 7:59 p.m.60 views

CVE-2016-2048

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

6CVSS5.4AI score0.00142EPSS
CVE
CVE
added 2024/10/08 4:15 p.m.59 views

CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only ...

5.3CVSS7.2AI score0.00053EPSS
CVE
CVE
added 2013/10/04 5:55 p.m.57 views

CVE-2013-6044

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function,...

4.3CVSS5.6AI score0.04123EPSS
CVE
CVE
added 2013/10/04 5:55 p.m.53 views

CVE-2013-4249

Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.

4.3CVSS5.5AI score0.00142EPSS
CVE
CVE
added 2025/04/02 1:15 p.m.43 views

CVE-2025-27556

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack vi...

5.8CVSS7.1AI score0.00019EPSS
Total number of security vulnerabilities120