Filtered by vendor Djangoproject
Subscribe
Search
Total
22 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-43665 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2023-12-21 | N/A | 7.5 HIGH |
| In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. | |||||
| CVE-2023-41164 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2023-12-14 | N/A | 7.5 HIGH |
| In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. | |||||
| CVE-2023-46695 | 1 Djangoproject | 1 Django | 2023-12-14 | N/A | 7.5 HIGH |
| An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. | |||||
| CVE-2021-31542 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2023-12-07 | 5.0 MEDIUM | 7.5 HIGH |
| In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. | |||||
| CVE-2021-33571 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2023-12-07 | 5.0 MEDIUM | 7.5 HIGH |
| In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) . | |||||
| CVE-2022-23833 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2023-11-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. | |||||
| CVE-2023-36053 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2023-11-15 | N/A | 7.5 HIGH |
| In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. | |||||
| CVE-2021-45116 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. | |||||
| CVE-2021-44420 | 5 Canonical, Debian, Djangoproject and 2 more | 5 Ubuntu Linux, Debian Linux, Django and 2 more | 2022-07-12 | 7.5 HIGH | 7.3 HIGH |
| In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. | |||||
| CVE-2021-45115 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. | |||||
| CVE-2020-9402 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2022-05-26 | 6.5 MEDIUM | 8.8 HIGH |
| Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. | |||||
| CVE-2020-35681 | 1 Djangoproject | 1 Channels | 2021-02-26 | 5.8 MEDIUM | 7.4 HIGH |
| Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0. | |||||
| CVE-2020-24584 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2021-01-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077. | |||||
| CVE-2020-24583 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2021-01-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command. | |||||
| CVE-2019-6975 | 3 Canonical, Djangoproject, Fedoraproject | 3 Ubuntu Linux, Django, Fedora | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. | |||||
| CVE-2019-14233 | 2 Djangoproject, Opensuse | 2 Django, Leap | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. | |||||
| CVE-2019-14232 | 2 Djangoproject, Opensuse | 2 Django, Leap | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. | |||||
| CVE-2019-14235 | 2 Djangoproject, Opensuse | 2 Django, Leap | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | |||||
| CVE-2018-6188 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2019-03-12 | 5.0 MEDIUM | 7.5 HIGH |
| django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. | |||||
| CVE-2016-7401 | 3 Canonical, Debian, Djangoproject | 3 Ubuntu Linux, Debian Linux, Django | 2018-01-05 | 5.0 MEDIUM | 7.5 HIGH |
| The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. | |||||
| CVE-2016-9014 | 3 Canonical, Djangoproject, Fedoraproject | 3 Ubuntu Linux, Django, Fedora | 2017-11-04 | 6.8 MEDIUM | 8.1 HIGH |
| Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. | |||||
| CVE-2016-2512 | 1 Djangoproject | 1 Django | 2017-09-08 | 4.3 MEDIUM | 7.4 HIGH |
| The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. | |||||