Django@1.6.6 Security Vulnerabilities and Issues — Django@1.6.6 CVE List

Lucene search

DjangoprojectDjango1.6.6

8 matches found

CVE•added 2015/07/14 5:59 p.m.•139 views

CVE-2015-5143

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

7.8CVSS6.3AI score0.15813EPSS

CVE•added 2015/07/14 5:59 p.m.•98 views

CVE-2015-5144

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a ...

4.3CVSS6.5AI score0.01493EPSS

CVE•added 2015/01/16 4:59 p.m.•86 views

CVE-2015-0219

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

5CVSS6.3AI score0.03722EPSS

CVE•added 2015/03/25 2:59 p.m.•86 views

CVE-2015-2317

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x0...

4.3CVSS5.5AI score0.03149EPSS

CVE•added 2015/01/16 4:59 p.m.•84 views

CVE-2015-0221

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

5CVSS6.2AI score0.08824EPSS

CVE•added 2015/01/16 4:59 p.m.•81 views

CVE-2015-0220

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a ...

4.3CVSS5.3AI score0.02316EPSS

CVE•added 2015/01/16 4:59 p.m.•80 views

CVE-2015-0222

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

5CVSS6.9AI score0.04573EPSS

CVE•added 2015/03/25 2:59 p.m.•74 views

CVE-2015-2316

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

5CVSS6.4AI score0.0227EPSS