django
PyPI147 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting djangopage 1 of 3
- CVE-2007-0404NONECVSS 0.0EG 0.0✓ Fixed in 1.02007-01-23
vulnerable: 0.95
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo…
- CVE-2007-0405NONECVSS 0.0EG 0.0✓ Fixed in 1.02007-01-23
vulnerable: 0.95
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
- CVE-2007-5712NONECVSS 0.0EG 0.0✓ Fixed in 1.12007-10-30
vulnerable: 1.0.1, 1.0.2, 1.0.3, 1.0.4
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of serv…
- CVE-2008-2302NONECVSS 0.0EG 0.0✓ Fixed in 1.12008-05-23
vulnerable: 1.0.1, 1.0.2, 1.0.3, 1.0.4
Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the UR…
- CVE-2008-3909NONECVSS 0.0EG 0.0✓ Fixed in 1.12008-09-04
vulnerable: 1.0.1, 1.0.2, 1.0.3, 1.0.4
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) a…
- CVE-2009-2659NONECVSS 0.0EG 0.0✓ Fixed in 1.12009-08-04
vulnerable: 1.0.1, 1.0.2, 1.0.3, 1.0.4
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files v…
- CVE-2009-3695NONECVSS 0.0EG 0.0✓ Fixed in 1.1.12009-10-13
vulnerable: 1.0.1, 1.0.2, 1.0.3, 1.1
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (…
- CVE-2010-3082NONECVSS 0.0EG 0.0✓ Fixed in 1.2.22010-09-14
vulnerable: 1.2, 1.2.1
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
- CVE-2010-4534NONECVSS 0.0EG 0.0✓ Fixed in 1.2.42011-01-10
vulnerable: 1.0.1 ... 1.2.3 (11 versions)
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authen…
- CVE-2010-4535NONECVSS 0.0EG 0.0✓ Fixed in 1.2.42011-01-10
vulnerable: 1.0.1 ... 1.2.3 (11 versions)
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to caus…
- CVE-2011-0696NONECVSS 0.0EG 0.02011-02-14
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged A…
- CVE-2011-0697NONECVSS 0.0EG 0.02011-02-14
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
- CVE-2011-0698NONECVSS 0.0EG 0.0✓ Fixed in 1.2.52011-02-14
vulnerable: 1.1 ... 1.2.4 (9 versions)
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
- CVE-2011-4136NONECVSS 0.0EG 0.0✓ Fixed in 1.3.12011-10-19
vulnerable: 1.0.1 ... 1.3 (17 versions)
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a sess…
- CVE-2011-4137NONECVSS 0.0EG 0.0✓ Fixed in 1.3.12011-10-19
vulnerable: 1.0.1 ... 1.3 (17 versions)
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denia…
- CVE-2011-4138NONECVSS 0.0EG 0.0✓ Fixed in 1.3.12011-10-19
vulnerable: 1.0.1 ... 1.3 (17 versions)
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redi…
- CVE-2011-4139NONECVSS 0.0EG 0.0✓ Fixed in 1.3.12011-10-19
vulnerable: 1.0.1 ... 1.3 (17 versions)
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
- CVE-2011-4140NONECVSS 0.0EG 7.5✓ Fixed in 1.3.12011-10-19
vulnerable: 1.0.1 ... 1.3 (17 versions)
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged reques…
- CVE-2012-3442NONECVSS 0.0EG 0.0✓ Fixed in 1.4.12012-07-31
vulnerable: 1.0.1 ... 1.4 (20 versions)
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct…
- CVE-2012-3443NONECVSS 0.0EG 0.0✓ Fixed in 1.4.12012-07-31
vulnerable: 1.0.1 ... 1.4 (20 versions)
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) …
- CVE-2012-3444NONECVSS 0.0EG 0.0✓ Fixed in 1.4.12012-07-31
vulnerable: 1.0.1 ... 1.4 (20 versions)
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of serv…
- CVE-2012-4520NONECVSS 0.0EG 0.0✓ Fixed in 1.4.22012-11-18
vulnerable: 1.3 ... 1.4.1 (6 versions)
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
- CVE-2013-0305NONECVSS 0.0EG 0.0✓ Fixed in 1.4.42013-05-02
vulnerable: 1.3 ... 1.4.3 (10 versions)
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object…
- CVE-2013-0306NONECVSS 0.0EG 0.0✓ Fixed in 1.4.42013-05-02
vulnerable: 1.3 ... 1.4.3 (10 versions)
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger ser…
- CVE-2013-1443NONECVSS 0.0EG 0.0✓ Fixed in 1.5.42013-09-23
vulnerable: 1.4 ... 1.5.3 (12 versions)
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashe…
- CVE-2013-1664NONECVSS 0.0EG 0.0✓ Fixed in 1.4.42013-04-03
vulnerable: 1.4, 1.4.1, 1.4.2, 1.4.3
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a …
- CVE-2013-1665NONECVSS 0.0EG 0.0✓ Fixed in 1.4.42013-04-03
vulnerable: 1.4, 1.4.1, 1.4.2, 1.4.3
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in con…
- CVE-2013-4249NONECVSS 0.0EG 0.0✓ Fixed in 1.5.22013-10-04
vulnerable: 1.5, 1.5.1
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
- CVE-2013-4315NONECVSS 0.0EG 0.0✓ Fixed in 1.5.32013-09-16
vulnerable: 1.4 ... 1.5.2 (10 versions)
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot)…
- CVE-2013-6044NONECVSS 0.0EG 0.0✓ Fixed in 1.5.22013-10-04
vulnerable: 1.4 ... 1.5.1 (8 versions)
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vuln…
- CVE-2014-0472NONECVSS 0.0EG 0.0✓ Fixed in 1.6.32014-04-23
vulnerable: 1.0.1 ... 1.6.2 (45 versions)
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that con…
- CVE-2014-0473NONECVSS 0.0EG 0.0✓ Fixed in 1.6.32014-04-23
vulnerable: 1.0.1 ... 1.6.2 (45 versions)
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the …
- CVE-2014-0474NONECVSS 0.0EG 0.0✓ Fixed in 1.6.32014-04-23
vulnerable: 1.0.1 ... 1.6.2 (45 versions)
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows…
- CVE-2014-0480NONECVSS 0.0EG 0.0✓ Fixed in 1.6.62014-08-26
vulnerable: 1.0.1 ... 1.6.5 (54 versions)
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // …
- CVE-2014-0481NONECVSS 0.0EG 0.0✓ Fixed in 1.6.62014-08-26
vulnerable: 1.0.1 ... 1.6.5 (54 versions)
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting…
- CVE-2014-0482NONECVSS 0.0EG 0.0✓ Fixed in 1.6.62014-08-26
vulnerable: 1.0.1 ... 1.6.5 (54 versions)
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote …
- CVE-2014-0483NONECVSS 0.0EG 0.0✓ Fixed in 1.6.62014-08-26
vulnerable: 1.0.1 ... 1.6.5 (54 versions)
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authen…
- CVE-2014-1418NONECVSS 0.0EG 0.0✓ Fixed in 1.7b42014-05-16
vulnerable: 1.4 ... 1.6.4 (26 versions)
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or po…
- CVE-2014-3730NONECVSS 0.0EG 0.0✓ Fixed in 1.7b42014-05-16
vulnerable: 1.4 ... 1.6.4 (26 versions)
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed…
- CVE-2015-0219NONECVSS 0.0EG 0.0✓ Fixed in 1.7.32015-01-16
vulnerable: 1.0.1 ... 1.7.2 (69 versions)
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User heade…
- CVE-2015-0220NONECVSS 0.0EG 0.0✓ Fixed in 1.7.32015-01-16
vulnerable: 1.0.1 ... 1.7.2 (69 versions)
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a …
- CVE-2015-0221NONECVSS 0.0EG 0.0✓ Fixed in 1.7.32015-01-16
vulnerable: 1.0.1 ... 1.7.2 (69 versions)
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line i…
- CVE-2015-0222NONECVSS 0.0EG 0.0✓ Fixed in 1.7.32015-01-16
vulnerable: 1.0.1 ... 1.7.2 (69 versions)
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of S…
- CVE-2015-2241NONECVSS 0.0EG 0.0✓ Fixed in 1.8b22015-03-12
vulnerable: 1.0.1 ... 1.8b1 (81 versions)
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_f…
- CVE-2015-2316NONECVSS 0.0EG 0.0✓ Fixed in 1.8c12015-03-25
vulnerable: 1.6 ... 1.8b2 (21 versions)
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the len…
- CVE-2015-2317NONECVSS 0.0EG 0.0✓ Fixed in 1.8c12015-03-25
vulnerable: 1.0.1 ... 1.8b2 (79 versions)
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attack…
- CVE-2015-3982NONECVSS 0.0EG 0.0✓ Fixed in 1.8.22015-06-02
vulnerable: 1.8, 1.8.1
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
- CVE-2015-5143NONECVSS 0.0EG 0.0✓ Fixed in 1.8.32015-07-14
vulnerable: 1.0.1 ... 1.8.2 (83 versions)
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
- CVE-2015-5144NONECVSS 0.0EG 0.0✓ Fixed in 1.8.32015-07-14
vulnerable: 1.0.1 ... 1.8.2 (83 versions)
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline…
- CVE-2015-5145NONECVSS 0.0EG 0.0✓ Fixed in 1.8.32015-07-14
vulnerable: 1.8, 1.8.1, 1.8.2
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Check whether django is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for django CVEs against the assets you own.
Start Free Scan →