Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC
Релизный цикл, информация об уязвимостях
График релизов
Количество 750
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 b ...
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
BDU:2023-09092
Уязвимость программной платформы для веб-приложений Django, связанная с загрузкой кода без проверки его целостности, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
GHSA-p64x-8rxx-wf6q
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0 ...
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
GHSA-59w8-4wm2-4xw8
Django Image Field Vulnerable to Image Decompression Bombs
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2022-36359 An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. | CVSS3: 8.8 | 1% Низкий | больше 3 лет назад |
| CVE-2022-36359 An issue was discovered in the HTTP FileResponse class in Django 3.2 b ... | CVSS3: 8.8 | 1% Низкий | больше 3 лет назад |
 | CVE-2022-36359 An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. | CVSS3: 8.8 | 1% Низкий | больше 3 лет назад |
 | BDU:2023-09092 Уязвимость программной платформы для веб-приложений Django, связанная с загрузкой кода без проверки его целостности, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании | CVSS3: 8.8 | 1% Низкий | больше 3 лет назад |
| GHSA-p64x-8rxx-wf6q Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection | CVSS3: 9.8 | 93% Критический | больше 3 лет назад |
| CVE-2022-34265 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. | CVSS3: 9.8 | 93% Критический | больше 3 лет назад |
| CVE-2022-34265 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0 ... | CVSS3: 9.8 | 93% Критический | больше 3 лет назад |
| CVE-2022-34265 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. | CVSS3: 9.8 | 93% Критический | больше 3 лет назад |
 | CVE-2022-34265 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. | CVSS3: 9.8 | 93% Критический | больше 3 лет назад |
| GHSA-59w8-4wm2-4xw8 Django Image Field Vulnerable to Image Decompression Bombs | CVSS3: 7.5 | 1% Низкий | больше 3 лет назад |
Уязвимостей на страницу