Django Security Vulnerabilities and Issues — Django CVE List

Lucene search

DjangoprojectDjango

10 matches found

CVE•added 2022/04/12 5:15 a.m.•233 views

CVE-2022-28346

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

9.8CVSS9.4AI score0.02039EPSS

CVE•added 2022/07/04 4:15 p.m.•211 views

CVE-2022-34265

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

9.8CVSS9.5AI score0.92706EPSS

CVE•added 2022/04/12 5:15 a.m.•200 views

CVE-2022-28347

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

9.8CVSS9.5AI score0.00831EPSS

CVE•added 2022/10/16 6:15 a.m.•198 views

CVE-2022-41323

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

7.5CVSS7.2AI score0.06166EPSS

CVE•added 2022/02/03 2:15 a.m.•187 views

CVE-2022-22818

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

6.1CVSS6.1AI score0.00621EPSS

CVE•added 2022/02/03 2:15 a.m.•161 views

CVE-2022-23833

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

7.5CVSS7.2AI score0.00589EPSS

CVE•added 2022/01/05 12:15 a.m.•157 views

CVE-2021-45115

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user regis...

7.5CVSS7.3AI score0.00378EPSS

CVE•added 2022/01/05 12:15 a.m.•154 views

CVE-2021-45452

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

5.3CVSS5.3AI score0.00249EPSS

CVE•added 2022/01/05 12:15 a.m.•143 views

CVE-2021-45116

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suit...

7.5CVSS7.1AI score0.00242EPSS

CVE•added 2022/08/03 2:15 p.m.•121 views

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

8.8CVSS8.3AI score0.00406EPSS