rpm package

suse/python-Django&distro=SUSE OpenStack Cloud 7

pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207

Vulnerabilities (55)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-3498		—	< 1.8.19-3.23.1	1.8.19-3.23.1	Jan 9, 2019	In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use
CVE-2018-7537		—	< 1.8.19-3.4.1	1.8.19-3.4.1	Mar 9, 2018	An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking
CVE-2018-7536		—	< 1.8.19-3.4.1	1.8.19-3.4.1	Mar 9, 2018	An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expr
CVE-2018-1000115		—	< 1.8.19-3.23.1	1.8.19-3.23.1	Mar 5, 2018	Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported
CVE-2017-11481	Med	6.1	< 1.8.19-3.29.1	1.8.19-3.29.1	Dec 8, 2017	Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVE-2017-1000246	Med	5.3	< 1.8.19-3.23.1	1.8.19-3.23.1	Nov 17, 2017	Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.
CVE-2017-12794	Med	6.1	< 1.8.19-3.4.1	1.8.19-3.4.1	Sep 7, 2017	In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production si
CVE-2017-11499	Hig	7.5	< 1.8.19-3.29.1	1.8.19-3.29.1	Jul 25, 2017	Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
CVE-2017-4967	Med	6.1	< 1.8.19-3.23.1	1.8.19-3.23.1	Jun 13, 2017	An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the
CVE-2017-4965	Med	6.1	< 1.8.19-3.23.1	1.8.19-3.23.1	Jun 13, 2017	An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the
CVE-2017-7234	Med	6.1	< 1.8.19-3.4.1	1.8.19-3.4.1	Apr 4, 2017	A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
CVE-2017-7233	Med	6.1	< 1.8.19-3.4.1	1.8.19-3.4.1	Apr 4, 2017	Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they sh
CVE-2016-9014	Hig	8.1	< 1.8.19-3.4.1	1.8.19-3.4.1	Dec 9, 2016	Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
CVE-2016-9013	Cri	9.8	< 1.8.19-3.4.1	1.8.19-3.4.1	Dec 9, 2016	Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging fa
CVE-2016-7401	Hig	7.5	< 1.8.19-3.4.1	1.8.19-3.4.1	Oct 3, 2016	The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

CVE-2019-3498Jan 9, 2019
affected < 1.8.19-3.23.1fixed 1.8.19-3.23.1
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use
CVE-2018-7537Mar 9, 2018
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking
CVE-2018-7536Mar 9, 2018
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expr
CVE-2018-1000115Mar 5, 2018
affected < 1.8.19-3.23.1fixed 1.8.19-3.23.1
Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported
CVE-2017-11481MedDec 8, 2017
affected < 1.8.19-3.29.1fixed 1.8.19-3.29.1
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVE-2017-1000246MedNov 17, 2017
affected < 1.8.19-3.23.1fixed 1.8.19-3.23.1
Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.
CVE-2017-12794MedSep 7, 2017
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production si
CVE-2017-11499HigJul 25, 2017
affected < 1.8.19-3.29.1fixed 1.8.19-3.29.1
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
CVE-2017-4967MedJun 13, 2017
affected < 1.8.19-3.23.1fixed 1.8.19-3.23.1
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the
CVE-2017-4965MedJun 13, 2017
affected < 1.8.19-3.23.1fixed 1.8.19-3.23.1
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the
CVE-2017-7234MedApr 4, 2017
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
CVE-2017-7233MedApr 4, 2017
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they sh
CVE-2016-9014HigDec 9, 2016
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
CVE-2016-9013CriDec 9, 2016
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging fa
CVE-2016-7401HigOct 3, 2016
affected < 1.8.19-3.4.1fixed 1.8.19-3.4.1
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Page 3 of 3