Vulnerabilities (CVE)

Filtered by vendor Djangoproject Subscribe
Total 106 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-5143 4 Canonical, Debian, Djangoproject and 1 more 4 Ubuntu Linux, Debian Linux, Django and 1 more 2023-12-10 7.8 HIGH N/A
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE-2016-2048 1 Djangoproject 1 Django 2023-12-10 6.0 MEDIUM 5.5 MEDIUM
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
CVE-2015-5144 4 Canonical, Debian, Djangoproject and 1 more 4 Ubuntu Linux, Debian Linux, Django and 1 more 2023-12-10 4.3 MEDIUM N/A
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
CVE-2015-8213 1 Djangoproject 1 Django 2023-12-10 5.0 MEDIUM N/A
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
CVE-2016-7401 3 Canonical, Debian, Djangoproject 3 Ubuntu Linux, Debian Linux, Django 2023-12-10 5.0 MEDIUM 7.5 HIGH
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
CVE-2015-5963 3 Canonical, Djangoproject, Oracle 3 Ubuntu Linux, Django, Solaris 2023-12-10 5.0 MEDIUM N/A
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.
CVE-2011-4104 1 Djangoproject 1 Tastypie 2023-12-10 7.5 HIGH N/A
The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.
CVE-2014-3730 4 Canonical, Debian, Djangoproject and 1 more 4 Ubuntu Linux, Debian Linux, Django and 1 more 2023-12-10 4.3 MEDIUM N/A
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
CVE-2014-0474 2 Canonical, Djangoproject 2 Ubuntu Linux, Django 2023-12-10 10.0 HIGH N/A
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
CVE-2014-0481 4 Debian, Djangoproject, Opensuse and 1 more 4 Debian Linux, Django, Opensuse and 1 more 2023-12-10 4.3 MEDIUM N/A
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.
CVE-2014-0483 2 Djangoproject, Opensuse 2 Django, Opensuse 2023-12-10 3.5 LOW N/A
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
CVE-2015-2316 5 Canonical, Djangoproject, Fedoraproject and 2 more 5 Ubuntu Linux, Django, Fedora and 2 more 2023-12-10 5.0 MEDIUM N/A
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
CVE-2014-0472 2 Canonical, Djangoproject 2 Ubuntu Linux, Django 2023-12-10 5.1 MEDIUM N/A
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
CVE-2014-0473 2 Canonical, Djangoproject 2 Ubuntu Linux, Django 2023-12-10 5.0 MEDIUM N/A
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
CVE-2015-0219 1 Djangoproject 1 Django 2023-12-10 5.0 MEDIUM N/A
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
CVE-2015-0222 2 Canonical, Djangoproject 2 Ubuntu Linux, Django 2023-12-10 5.0 MEDIUM N/A
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
CVE-2015-2241 1 Djangoproject 1 Django 2023-12-10 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
CVE-2015-2317 6 Canonical, Debian, Djangoproject and 3 more 6 Ubuntu Linux, Debian Linux, Django and 3 more 2023-12-10 4.3 MEDIUM N/A
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
CVE-2014-0480 2 Djangoproject, Opensuse 2 Django, Opensuse 2023-12-10 5.8 MEDIUM N/A
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
CVE-2015-0220 2 Canonical, Djangoproject 2 Ubuntu Linux, Django 2023-12-10 4.3 MEDIUM N/A
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.