Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC
Релизный цикл, информация об уязвимостях
График релизов
Количество 679
GHSA-9xg7-gg9m-rmq9
Django Admin Media Handler Vulnerable to Directory Traversal
GHSA-r5cj-wv24-92p5
Django cross-site request forgery (CSRF) vulnerability
GHSA-54qj-48vx-cr9f
Django Cross-site scripting (XSS) vulnerability
GHSA-pjc8-j97x-hp3p
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module.
GHSA-9v8h-57gv-qch6
Django vulnerable to Denial of Service via i18n middleware component
GHSA-qc99-g3wm-hgxr
Django Arbitrary Code Execution
GHSA-mwv2-398h-v489
Django Improper Access Control
GHSA-2gwj-7jmv-h26r
SQL Injection in Django
GHSA-w24h-v9qh-8gxj
SQL Injection in Django
CVE-2022-28347
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-9xg7-gg9m-rmq9 Django Admin Media Handler Vulnerable to Directory Traversal | CVSS3: 7.5 | 2% Низкий | больше 3 лет назад |
| GHSA-r5cj-wv24-92p5 Django cross-site request forgery (CSRF) vulnerability | CVSS3: 7.5 | 0% Низкий | больше 3 лет назад |
| GHSA-54qj-48vx-cr9f Django Cross-site scripting (XSS) vulnerability | CVSS3: 6.1 | 0% Низкий | больше 3 лет назад |
| GHSA-pjc8-j97x-hp3p ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module. | 0% Низкий | больше 3 лет назад | |
| GHSA-9v8h-57gv-qch6 Django vulnerable to Denial of Service via i18n middleware component | CVSS3: 5.9 | 2% Низкий | больше 3 лет назад |
| GHSA-qc99-g3wm-hgxr Django Arbitrary Code Execution | 1% Низкий | больше 3 лет назад | |
| GHSA-mwv2-398h-v489 Django Improper Access Control | 1% Низкий | больше 3 лет назад | |
| GHSA-2gwj-7jmv-h26r SQL Injection in Django | CVSS3: 9.8 | 2% Низкий | больше 3 лет назад |
| GHSA-w24h-v9qh-8gxj SQL Injection in Django | CVSS3: 9.8 | 1% Низкий | больше 3 лет назад |
 | CVE-2022-28347 A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. | CVSS3: 9.8 | 1% Низкий | больше 3 лет назад |
Уязвимостей на страницу