PyPI package
django
pkg:pypi/django
Vulnerabilities (151)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2011-0696 | — | >= 1.1, < 1.1.4 | 1.1.4 | Feb 14, 2011 | Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination | ||
| CVE-2010-4535 | — | < 1.1.3 | 1.1.3 | Jan 10, 2011 | The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumpti | ||
| CVE-2010-4534 | — | < 1.1.3 | 1.1.3 | Jan 10, 2011 | The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive informa | ||
| CVE-2010-3082 | — | >= 1.2, < 1.2.2 | 1.2.2 | Sep 14, 2010 | Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. | ||
| CVE-2009-3695 | — | >= 1.0, < 1.0.4 | 1.0.4 | Oct 13, 2009 | Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of back | ||
| CVE-2009-2659 | — | >= 0.96.0, < 0.96.4 | 0.96.4 | Aug 4, 2009 | The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL. | ||
| CVE-2008-3909 | — | >= 0.91.0, < 0.91.3 | 0.91.3 | Sep 4, 2008 | The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unsp | ||
| CVE-2008-2302 | — | >= 0.91, < 0.91.2 | 0.91.2 | May 23, 2008 | Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request. | ||
| CVE-2007-5712 | — | >= 0.96.0, < 0.96.1 | 0.96.1 | Oct 30, 2007 | The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP re | ||
| CVE-2007-0405 | — | >= 0.95, < 1.0 | 1.0 | Jan 23, 2007 | The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user. | ||
| CVE-2007-0404 | — | >= 0.95, < 1.0 | 1.0 | Jan 23, 2007 | bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file. |
- CVE-2011-0696Feb 14, 2011affected >= 1.1, < 1.1.4fixed 1.1.4
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination
- CVE-2010-4535Jan 10, 2011affected < 1.1.3fixed 1.1.3
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumpti
- CVE-2010-4534Jan 10, 2011affected < 1.1.3fixed 1.1.3
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive informa
- CVE-2010-3082Sep 14, 2010affected >= 1.2, < 1.2.2fixed 1.2.2
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
- CVE-2009-3695Oct 13, 2009affected >= 1.0, < 1.0.4fixed 1.0.4
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of back
- CVE-2009-2659Aug 4, 2009affected >= 0.96.0, < 0.96.4fixed 0.96.4
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
- CVE-2008-3909Sep 4, 2008affected >= 0.91.0, < 0.91.3fixed 0.91.3
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unsp
- CVE-2008-2302May 23, 2008affected >= 0.91, < 0.91.2fixed 0.91.2
Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.
- CVE-2007-5712Oct 30, 2007affected >= 0.96.0, < 0.96.1fixed 0.96.1
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP re
- CVE-2007-0405Jan 23, 2007affected >= 0.95, < 1.0fixed 1.0
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
- CVE-2007-0404Jan 23, 2007affected >= 0.95, < 1.0fixed 1.0
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
Page 8 of 8