cbcvebase.

Debian Python-Django vulnerabilities

140 known vulnerabilities affecting debian/python-django.

Total CVEs
140
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH40MEDIUM73LOW16

Vulnerabilities

Page 5 of 7
CVE-2014-1418P4MEDIUMCVSS 6.4fixed in python-django 1.6.5-1 (bookworm)2014
CVE-2014-1418 [MEDIUM] CVE-2014-1418: python-django - Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7... Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. Scope: local bookworm: resolved (fixed in 1.6.5-1) bullseye: resolved (
debian
CVE-2013-4315P4MEDIUMCVSS 5.0fixed in python-django 1.5.3-1 (bookworm)2013
CVE-2013-4315 [MEDIUM] CVE-2013-4315: python-django - Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5... Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. Scope: local bookworm: resolved (fixed in 1.5.3-1) bullseye: resolved (fixed in 1.5.3-1) forky: res
debian
CVE-2021-45452P4MEDIUMCVSS 5.3fixed in python-django 2:3.2.11-1 (bookworm)2021
CVE-2021-45452 [MEDIUM] CVE-2021-45452: python-django - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.... Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. Scope: local bookworm: resolved (fixed in 2:3.2.11-1) bullseye: resolved (fixed in 2:2.2.26-1~deb11u1) forky: resolved (fixed in 2:3.2.11-1) sid: resolved (fixed in 2:3.2.11-1) trixie: resolved (fixed in
debian
CVE-2019-12781P4MEDIUMCVSS 5.3fixed in python-django 1:1.11.22-1 (bookworm)2019
CVE-2019-12781 [MEDIUM] CVE-2019-12781: python-django - An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.... An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Scope:
debian
CVE-2024-45231P4MEDIUMCVSS 5.3fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-45231 [MEDIUM] CVE-2024-45231: python-django - An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contri... An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). Scope: local bo
debian
CVE-2021-32052P4LOWCVSS 6.1fixed in python-django 2:2.2.22-1 (bookworm)2021
CVE-2021-32052 [MEDIUM] CVE-2021-32052: python-django - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Pytho... In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
debian
CVE-2020-13596P4MEDIUMCVSS 6.1fixed in python-django 2:2.2.13-1 (bookworm)2020
CVE-2020-13596 [MEDIUM] CVE-2020-13596: python-django - An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query ... An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. Scope: local bookworm: resolved (fixed in 2:2.2.13-1) bullseye: resolved (fixed in 2:2.2.13-1) forky: resolved (fixed in 2:2.2.13-1) sid: resol
debian
CVE-2016-2048P4MEDIUMCVSS 5.5fixed in python-django 1.9.2-1 (bookworm)2016
CVE-2016-2048 [MEDIUM] CVE-2016-2048: python-django - Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote... Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission. Scope: local bookworm: resolved (fixed in 1.9.2-1) bullseye: resolved (fixed in 1.9.2-1) forky: resolv
debian
CVE-2009-2659P4LOWCVSS 5.0fixed in python-django 1.1-1 (bookworm)2009
CVE-2009-2659 [MEDIUM] CVE-2009-2659: python-django - The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does ... The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL. Scope: local bookworm: resolved (fixed in 1.1-1) bullseye: resolved (fixed in 1.1-1) forky: resolved (fix
debian
CVE-2022-22818P4MEDIUMCVSS 6.1fixed in python-django 2:3.2.12-1 (bookworm)2022
CVE-2022-22818 [MEDIUM] CVE-2022-22818: python-django - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and... The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. Scope: local bookworm: resolved (fixed in 2:3.2.12-1) bullseye: resolved (fixed in 2:2.2.28-1~deb11u1) forky: resolved (fixed in 2:3.2.12-1) sid: resolved (fixed in 2:3.2.12-1) trixie: resolved
debian
CVE-2011-4140P4MEDIUMCVSS 6.8fixed in python-django 1.3.1-1 (bookworm)2011
CVE-2011-4140 [MEDIUM] CVE-2011-4140: python-django - The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 do... The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code. Scope: local bookworm: resolved (fix
debian
CVE-2011-4136P4MEDIUMCVSS 5.8fixed in python-django 1.3.1-1 (bookworm)2011
CVE-2011-4136 [MEDIUM] CVE-2011-4136: python-django - django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when sess... django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. Scope: local bookworm: resolved (fixed in 1.3.1-
debian
CVE-2025-48432P4MEDIUMCVSS 4.0fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-48432 [MEDIUM] CVE-2025-48432: python-django - An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 b... An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. Scope: loc
debian
CVE-2014-0473P4MEDIUMCVSS 5.0fixed in python-django 1.6.3-1 (bookworm)2014
CVE-2014-0473 [MEDIUM] CVE-2014-0473: python-django - The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before ... The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. Scope: local bookworm: resolved (fixed in 1.6.3-1) bullseye: resolved (fixed in 1.6.3-1) f
debian
CVE-2024-39329P4MEDIUMCVSS 5.3fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-39329 [MEDIUM] CVE-2024-39329: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The dj... An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. Scope: local bookworm: resolved (fixed in 3:3.2.25-0+deb12u1) bullseye: resolved (fixed in 2:
debian
CVE-2015-5963P4MEDIUMCVSS 5.0fixed in python-django 1.7.10-1 (bookworm)2015
CVE-2015-5963 [MEDIUM] CVE-2015-5963: python-django - contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.... contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session
debian
CVE-2025-13372P4MEDIUMCVSS 4.3fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-13372 [MEDIUM] CVE-2025-13372: python-django - An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4... An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x
debian
CVE-2015-2316P4MEDIUMCVSS 5.0fixed in python-django 1.7.7-1 (bookworm)2015
CVE-2015-2316 [MEDIUM] CVE-2015-2316: python-django - The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1... The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. Scope: local bookworm: resolved (fixed in 1.7.7-1) bullseye: resolved (fixed in 1.7.7-1) forky: re
debian
CVE-2014-0482P4MEDIUMCVSS 6.0fixed in python-django 1.6.6-1 (bookworm)2014
CVE-2014-0482 [MEDIUM] CVE-2014-0482: python-django - The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4... The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. Scope: local bookworm: resolved (
debian
CVE-2014-0480P4MEDIUMCVSS 5.8fixed in python-django 1.6.6-1 (bookworm)2014
CVE-2014-0480 [MEDIUM] CVE-2014-0480: python-django - The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5... The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. Scope: local bookworm: resolved (fixed in 1.6
debian
Debian Python-Django vulnerabilities | cvebase