Django@1.8.0 Security Vulnerabilities and Issues — Django@1.8.0 CVE List

Lucene search

DjangoprojectDjango1.8.0

9 matches found

CVE•added 2015/07/14 5:59 p.m.•139 views

CVE-2015-5143

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

7.8CVSS6.3AI score0.15813EPSS

CVE•added 2015/07/14 5:59 p.m.•98 views

CVE-2015-5144

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a ...

4.3CVSS6.5AI score0.01493EPSS

CVE•added 2015/08/24 2:59 p.m.•91 views

CVE-2015-5963

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth...

5CVSS6.4AI score0.08126EPSS

CVE•added 2015/03/25 2:59 p.m.•86 views

CVE-2015-2317

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x0...

4.3CVSS5.5AI score0.03149EPSS

CVE•added 2015/08/24 2:59 p.m.•84 views

CVE-2015-5964

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session ...

5CVSS6.5AI score0.07512EPSS

CVE•added 2015/12/07 8:59 p.m.•84 views

CVE-2015-8213

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

5CVSS6.1AI score0.02962EPSS

CVE•added 2015/03/25 2:59 p.m.•74 views

CVE-2015-2316

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

5CVSS6.4AI score0.0227EPSS

CVE•added 2015/06/02 2:59 p.m.•71 views

CVE-2015-3982

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

5CVSS6.5AI score0.00322EPSS

CVE•added 2015/07/14 5:59 p.m.•65 views

CVE-2015-5145

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

7.8CVSS6.4AI score0.01936EPSS