Lucene search

K

91 matches found

CVE
CVE
added 2024/08/07 3:15 p.m.136 views

CVE-2024-41989

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

7.5CVSS6.8AI score0.00173EPSS
CVE
CVE
added 2020/09/01 1:15 p.m.132 views

CVE-2020-24583

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level ...

7.5CVSS7.3AI score0.02402EPSS
CVE
CVE
added 2020/09/01 1:15 p.m.132 views

CVE-2020-24584

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

7.5CVSS7.3AI score0.01356EPSS
CVE
CVE
added 2020/06/03 2:15 p.m.130 views

CVE-2020-13596

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

6.1CVSS5.9AI score0.01231EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.130 views

CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

9.8CVSS7.8AI score0.00285EPSS
CVE
CVE
added 2025/05/08 4:17 a.m.130 views

CVE-2025-32873

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter s...

7.5CVSS5.1AI score0.00025EPSS
CVE
CVE
added 2022/08/03 2:15 p.m.121 views

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

8.8CVSS8.3AI score0.00406EPSS
CVE
CVE
added 2018/10/02 6:29 p.m.116 views

CVE-2018-16984

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1)...

4.9CVSS5.2AI score0.01108EPSS
CVE
CVE
added 2024/10/08 4:15 p.m.114 views

CVE-2024-45230

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

7.5CVSS6.9AI score0.00139EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.110 views

CVE-2011-4136

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session...

5.8CVSS6.3AI score0.01022EPSS
CVE
CVE
added 2025/06/05 3:15 a.m.107 views

CVE-2025-48432

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are vie...

4CVSS4.7AI score0.00033EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.106 views

CVE-2011-4140

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page c...

6.8CVSS6.7AI score0.004EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.102 views

CVE-2014-0474

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, re...

10CVSS6.7AI score0.06294EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.101 views

CVE-2011-4137

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated wit...

5CVSS7.5AI score0.02608EPSS
CVE
CVE
added 2015/07/14 5:59 p.m.98 views

CVE-2015-5144

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a ...

4.3CVSS6.5AI score0.01493EPSS
CVE
CVE
added 2019/12/02 2:15 p.m.98 views

CVE-2019-19118

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, f...

6.5CVSS6.3AI score0.00293EPSS
CVE
CVE
added 2011/01/10 8:0 p.m.95 views

CVE-2010-4534

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series o...

4CVSS5.5AI score0.00553EPSS
CVE
CVE
added 2011/01/10 8:0 p.m.95 views

CVE-2010-4535

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that ...

5CVSS6.5AI score0.04746EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.94 views

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

7.5CVSS6.8AI score0.00173EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.91 views

CVE-2014-0482

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relat...

6CVSS5.9AI score0.00711EPSS
CVE
CVE
added 2012/07/31 5:55 p.m.87 views

CVE-2012-3442

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

4.3CVSS5.4AI score0.00442EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.86 views

CVE-2015-0219

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

5CVSS6.3AI score0.03722EPSS
CVE
CVE
added 2015/03/25 2:59 p.m.86 views

CVE-2015-2317

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x0...

4.3CVSS5.5AI score0.01493EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.85 views

CVE-2011-4138

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrar...

5CVSS6.5AI score0.00755EPSS
CVE
CVE
added 2015/12/07 8:59 p.m.85 views

CVE-2015-8213

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

5CVSS6.1AI score0.02962EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.84 views

CVE-2014-0483

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field...

3.5CVSS5.5AI score0.00428EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.84 views

CVE-2015-0221

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

5CVSS6.2AI score0.08824EPSS
CVE
CVE
added 2011/10/19 10:55 a.m.83 views

CVE-2011-4139

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

5CVSS6.3AI score0.00567EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.82 views

CVE-2014-0472

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

5.1CVSS7AI score0.06894EPSS
CVE
CVE
added 2024/08/07 3:15 p.m.82 views

CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

7.5CVSS6.8AI score0.00164EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.81 views

CVE-2015-0220

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a ...

4.3CVSS5.3AI score0.02316EPSS
CVE
CVE
added 2015/01/16 4:59 p.m.80 views

CVE-2015-0222

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

5CVSS6.9AI score0.04573EPSS
CVE
CVE
added 2012/07/31 5:55 p.m.79 views

CVE-2012-3443

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

5CVSS6.2AI score0.01382EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.79 views

CVE-2014-0480

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL...

5.8CVSS6.2AI score0.00483EPSS
CVE
CVE
added 2014/08/26 2:55 p.m.79 views

CVE-2014-0481

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a ...

4.3CVSS6.3AI score0.01487EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.72 views

CVE-2014-0473

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

5CVSS6.4AI score0.00367EPSS
CVE
CVE
added 2015/03/12 2:59 p.m.72 views

CVE-2015-2241

Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.

4.3CVSS5.5AI score0.00257EPSS
CVE
CVE
added 2012/07/31 5:55 p.m.68 views

CVE-2012-3444

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.

5CVSS6.3AI score0.0119EPSS
CVE
CVE
added 2023/11/02 6:15 a.m.61 views

CVE-2023-46695

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of ...

7.5CVSS7.2AI score0.01977EPSS
CVE
CVE
added 2024/10/08 4:15 p.m.59 views

CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only ...

5.3CVSS7.2AI score0.00053EPSS
CVE
CVE
added 2025/04/02 1:15 p.m.43 views

CVE-2025-27556

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack vi...

5.8CVSS7.1AI score0.00019EPSS
Total number of security vulnerabilities91