Django@1.4 Security Vulnerabilities and Issues — Django@1.4 CVE List

Lucene search

DjangoprojectDjango1.4

9 matches found

CVE•added 2014/04/23 3:55 p.m.•102 views

CVE-2014-0474

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, re...

10CVSS6.7AI score0.06294EPSS

CVE•added 2014/08/26 2:55 p.m.•91 views

CVE-2014-0482

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relat...

6CVSS5.9AI score0.00711EPSS

CVE•added 2014/08/26 2:55 p.m.•84 views

CVE-2014-0483

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field...

3.5CVSS5.5AI score0.00428EPSS

CVE•added 2014/04/23 3:55 p.m.•82 views

CVE-2014-0472

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

5.1CVSS7AI score0.06894EPSS

CVE•added 2014/05/16 3:55 p.m.•80 views

CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.

6.4CVSS5.8AI score0.00512EPSS

CVE•added 2014/08/26 2:55 p.m.•79 views

CVE-2014-0480

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL...

5.8CVSS6.2AI score0.00483EPSS

CVE•added 2014/08/26 2:55 p.m.•79 views

CVE-2014-0481

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a ...

4.3CVSS6.3AI score0.01487EPSS

CVE•added 2014/04/23 3:55 p.m.•72 views

CVE-2014-0473

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

5CVSS6.4AI score0.00367EPSS

CVE•added 2014/05/16 3:55 p.m.•68 views

CVE-2014-3730

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\djangoproject.com."

4.3CVSS6.3AI score0.00988EPSS