Django@1.9.2 Security Vulnerabilities and Issues — Django@1.9.2 CVE List

Lucene search

DjangoprojectDjango1.9.2

8 matches found

CVE•added 2017/04/04 5:59 p.m.•449 views

CVE-2017-7233

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open...

6.1CVSS6AI score0.00747EPSS

CVE•added 2016/12/09 8:59 p.m.•416 views

CVE-2016-9014

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

8.1CVSS8.6AI score0.03184EPSS

CVE•added 2016/12/09 8:59 p.m.•410 views

CVE-2016-9013

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually s...

9.8CVSS9AI score0.02723EPSS

CVE•added 2016/08/05 3:59 p.m.•402 views

CVE-2016-6186

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors i...

6.1CVSS5.9AI score0.13095EPSS

CVE•added 2016/10/03 6:59 p.m.•397 views

CVE-2016-7401

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

7.5CVSS7.5AI score0.06495EPSS

CVE•added 2017/04/04 5:59 p.m.•132 views

CVE-2017-7234

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve() view could redirect to any other domain, aka an open redirect vulnerability.

6.1CVSS6.1AI score0.00422EPSS

CVE•added 2016/04/08 3:59 p.m.•110 views

CVE-2016-2512

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http:...

7.4CVSS7AI score0.00458EPSS

CVE•added 2016/04/08 3:59 p.m.•91 views

CVE-2016-2513

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

3.1CVSS5.3AI score0.01086EPSS