Djangoproject Django vulnerabilities
150 known vulnerabilities affecting djangoproject/django.
Total CVEs
150
CISA KEV
0
Public exploits
10
Exploited in wild
1
Severity breakdown
CRITICAL14HIGH52MEDIUM80LOW4
Vulnerabilities
Page 6 of 8
CVE-2016-7401HIGHCVSS 7.5≤ 1.8.14v1.9.0+9 more2016-10-03
CVE-2016-7401 [HIGH] CWE-254 CVE-2016-7401: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Go
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
ghsanvdosv
CVE-2016-6186MEDIUMCVSS 6.1PoC≤ 1.8.13v1.9+9 more2016-08-05
CVE-2016-6186 [MEDIUM] CWE-79 CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
ghsanvdosv
CVE-2016-2512HIGHCVSS 7.4v1.8.9v1.9+2 more2016-04-08
CVE-2016-2512 [HIGH] CWE-79 CVE-2016-2512: The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote att
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
ghsanvdosv
CVE-2016-2513LOWCVSS 3.1v1.8.9v1.9+2 more2016-04-08
CVE-2016-2513 [LOW] CWE-200 CVE-2016-2513: The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
ghsanvdosv
CVE-2016-2048MEDIUMCVSS 5.5v1.9v1.9.12016-02-08
CVE-2016-2048 [MEDIUM] CWE-284 CVE-2016-2048: Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
ghsanvdosv
CVE-2015-8213MEDIUMCVSS 5.0≤ 1.7.10v1.8.0+7 more2015-12-07
CVE-2015-8213 [MEDIUM] CWE-200 CVE-2015-8213: The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
ghsanvdosv
CVE-2015-5964MEDIUMCVSS 5.0v1.4v1.4.1+31 more2015-08-24
CVE-2015-5964 [MEDIUM] CWE-399 CVE-2015-5964: The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functio
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
ghsanvdosv
CVE-2015-5963MEDIUMCVSS 5.0v1.4v1.4.1+31 more2015-08-24
CVE-2015-5963 [MEDIUM] CWE-399 CVE-2015-5963: contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty
ghsanvdosv
CVE-2015-5145HIGHCVSS 7.8v1.8.0v1.8.1+1 more2015-07-14
CVE-2015-5145 [HIGH] CWE-399 CVE-2015-5145: validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of se
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
ghsanvdosv
CVE-2015-5143HIGHCVSS 7.8v1.4.20v1.5+36 more2015-07-14
CVE-2015-5143 [HIGH] CWE-399 CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x bef
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
ghsanvdosv
CVE-2015-5144MEDIUMCVSS 4.3≤ 1.4.20v1.5+37 more2015-07-14
CVE-2015-5144 [MEDIUM] CWE-20 CVE-2015-5144: Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorr
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to
ghsanvdosv
CVE-2015-3982MEDIUMCVSS 5.0v1.8.0v1.8.12015-06-02
CVE-2015-3982 [MEDIUM] CVE-2015-3982: The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly f
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
ghsanvdosv
CVE-2015-2316MEDIUMCVSS 5.0v1.6v1.6.1+17 more2015-03-25
CVE-2015-2316 [MEDIUM] CWE-399 CVE-2015-2316: The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x befo
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
ghsanvdosv
CVE-2015-2317MEDIUMCVSS 4.3≤ 1.4.19v1.5+31 more2015-03-25
CVE-2015-2317 [MEDIUM] CWE-79 CVE-2015-2317: The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x befor
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
ghsanvdosv
CVE-2015-2241MEDIUMCVSS 4.3≤ 1.7.5v1.82015-03-12
CVE-2015-2241 [MEDIUM] CWE-79 CVE-2015-2241: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django befo
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
ghsanvdosv
CVE-2015-0221MEDIUMCVSS 5.0≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0221 [MEDIUM] CWE-399 CVE-2015-0221: The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
ghsanvdosv
CVE-2015-0219MEDIUMCVSS 5.0≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0219 [MEDIUM] CWE-17 CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof W
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
ghsanvdosv
CVE-2015-0220MEDIUMCVSS 4.3≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0220 [MEDIUM] CWE-79 CVE-2015-0220: The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x be
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
ghsanvdosv
CVE-2015-0222MEDIUMCVSS 5.0≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0222 [MEDIUM] CWE-17 CVE-2015-0222: ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_init
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
ghsanvdosv
CVE-2014-0482MEDIUMCVSS 6.0v1.6v1.6.1+27 more2014-08-26
CVE-2014-0482 [MEDIUM] CWE-287 CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
ghsanvdosv