cbcvebase.

Debian Python-Django vulnerabilities

140 known vulnerabilities affecting debian/python-django.

Total CVEs
140
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH40MEDIUM73LOW16

Vulnerabilities

Page 7 of 7
CVE-2009-3695P4MEDIUMCVSS 5.0fixed in python-django 1.1.1-1 (bookworm)2009
CVE-2009-3695 [MEDIUM] CVE-2009-3695: python-django - Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1... Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression. Scope: local bookworm: resolved (fixed in 1.1.1-
debian
CVE-2012-3444P4MEDIUMCVSS 5.0fixed in python-django 1.4.1-1 (bookworm)2012
CVE-2012-3444 [MEDIUM] CVE-2012-3444: python-django - The get_image_dimensions function in the image-handling functionality in Django ... The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. Scope: local bookworm: resolved (fixed in 1.4.1-1) bullseye: re
debian
CVE-2014-3730P4MEDIUMCVSS 4.3fixed in python-django 1.6.5-1 (bookworm)2014
CVE-2014-3730 [MEDIUM] CVE-2014-3730: python-django - The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 befor... The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." Scope: local bookworm: resolved (fixed in 1.6.5-1) bullseye: resolved
debian
CVE-2015-0220P4MEDIUMCVSS 4.3fixed in python-django 1.7.1-1.1 (bookworm)2015
CVE-2015-0220 [MEDIUM] CVE-2015-0220: python-django - The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before ... The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. Scope: local bookworm: resolved (fixed in
debian
CVE-2012-3443P4MEDIUMCVSS 5.0fixed in python-django 1.4.1-1 (bookworm)2012
CVE-2012-3443 [MEDIUM] CVE-2012-3443: python-django - The django.forms.ImageField class in the form system in Django before 1.3.2 and ... The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. Scope: local bookworm: resolved (fixed in 1.4.1-1) bullseye: resolved (fixed in 1.4.1-1) forky:
debian
CVE-2013-4249P4MEDIUMCVSS 4.3fixed in python-django 1.5.2-1 (bookworm)2013
CVE-2013-4249 [MEDIUM] CVE-2013-4249: python-django - Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in co... Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. Scope: local bookworm: resolved (fixed in 1.5.2-1) bullseye: resolved (fixed in 1.5.2-1) forky: resolved (fixed in 1.5.2-1)
debian
CVE-2014-0481P4MEDIUMCVSS 4.3fixed in python-django 1.6.6-1 (bookworm)2014
CVE-2014-0481 [MEDIUM] CVE-2014-0481: python-django - The default configuration for the file upload handling system in Django before 1... The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple fil
debian
CVE-2013-6044P4MEDIUMCVSS 4.3fixed in python-django 1.5.2-1 (bookworm)2013
CVE-2013-6044 [MEDIUM] CVE-2013-6044: python-django - The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x be... The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.view
debian
CVE-2010-3082P4LOWCVSS 4.3fixed in python-django 1.2.3-1 (bookworm)2010
CVE-2010-3082 [MEDIUM] CVE-2010-3082: python-django - Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows rem... Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. Scope: local bookworm: resolved (fixed in 1.2.3-1) bullseye: resolved (fixed in 1.2.3-1) forky: resolved (fixed in 1.2.3-1) sid: resolved (fixed in 1.2.3-1) trixie: resolved (fix
debian
CVE-2011-0697P4MEDIUMCVSS 4.3fixed in python-django 1.2.5-1 (bookworm)2011
CVE-2011-0697 [MEDIUM] CVE-2011-0697: python-django - Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x ... Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. Scope: local bookworm: resolved (fixed in 1.2.5-1) bullseye: resolved (fixed in 1.2.5-1) forky: resolved (fixed in 1.2.5-1) sid: resolved (fixed in 1.2.5-1
debian
CVE-2016-2513P4LOWCVSS 3.1fixed in python-django 1.9.4-1 (bookworm)2016
CVE-2016-2513 [LOW] CVE-2016-2513: python-django - The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x... The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. Scope: local bookworm: resolved (fixed in 1.9.4-1) bullseye: resolved (fixed in 1.9.4-1) forky: resolved (fixed in 1.9.4-1) sid: resolved (fixed in 1.9.4-1) trixie: resolved (fixed i
debian
CVE-2015-2241P4MEDIUMCVSS 4.3fixed in python-django 1.7.6-1 (bookworm)2015
CVE-2015-2241 [MEDIUM] CVE-2015-2241: python-django - Cross-site scripting (XSS) vulnerability in the contents function in admin/helpe... Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property. Scope: local bookworm: resolved (fixed in 1.7.6-1) bullseye: resolved (fixed in 1.7.
debian
CVE-2010-4534P4MEDIUMCVSS 4.0fixed in python-django 1.2.4-1 (bookworm)2010
CVE-2010-4534 [MEDIUM] CVE-2010-4534: python-django - The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2... The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a
debian
CVE-2012-3442P4MEDIUMCVSS 4.3fixed in python-django 1.4.1-1 (bookworm)2012
CVE-2012-3442 [MEDIUM] CVE-2012-3442: python-django - The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermane... The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. Scope: local bookworm: resolved (fixed in 1.4.1-1) bullseye: resolved
debian
CVE-2026-25674P4LOWCVSS 3.7fixed in python-django 3:4.2.29-1 (forky)2026
CVE-2026-25674 [LOW] CVE-2026-25674: python-django - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4... An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded
debian
CVE-2008-2302P4LOWCVSS 4.3fixed in python-django 0.96.2-1 (bookworm)2008
CVE-2008-2302 [MEDIUM] CVE-2008-2302: python-django - Cross-site scripting (XSS) vulnerability in the login form in the administration... Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request. Scope: local bookworm: resolved (fixed in 0.96.2-1) bullseye: resolved (fixed in 0.96.2-1)
debian
CVE-2013-0305P4MEDIUMCVSS 4.0fixed in python-django 1.4.4-1 (bookworm)2013
CVE-2013-0305 [MEDIUM] CVE-2013-0305: python-django - The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, ... The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. Scope: local bookworm: resolved (fixed in 1.4.4-1) bullseye: resolved (fixed in 1.4.4-1) forky: resol
debian
CVE-2014-0483P4LOWCVSS 3.5fixed in python-django 1.6.6-1 (bookworm)2014
CVE-2014-0483 [LOW] CVE-2014-0483: python-django - The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x befo... The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demo
debian
CVE-2026-4292P4LOWCVSS 2.7fixed in python-django 3:4.2.30-1 (sid)2026
CVE-2026-4292 [LOW] CVE-2026-4292: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4... An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina f
debian
CVE-2007-5712P4LOWCVSS 2.6fixed in python-django 0.96-1.1 (bookworm)2007
CVE-2007-5712 [LOW] CVE-2007-5712: python-django - The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96... The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers. Scope: local bookworm: resolved (fixed in
debian
Debian Python-Django vulnerabilities | cvebase