Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC
Релизный цикл, информация об уязвимостях
График релизов
Количество 745
CVE-2015-5144
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
CVE-2015-3982
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
CVE-2015-3982
The session.flush function in the cached_db backend in Django 1.8.x be ...
CVE-2015-3982
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
CVE-2015-3982
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
CVE-2015-2317
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
CVE-2015-2317
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1. ...
CVE-2015-2316
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
CVE-2015-2316
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7. ...
CVE-2015-2316
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2015-5144 Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. | CVSS2: 4.3 | 2% Низкий | больше 10 лет назад |
 | CVE-2015-3982 The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. | CVSS2: 5 | 0% Низкий | больше 10 лет назад |
| CVE-2015-3982 The session.flush function in the cached_db backend in Django 1.8.x be ... | CVSS2: 5 | 0% Низкий | больше 10 лет назад |
 | CVE-2015-3982 The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. | CVSS2: 5 | 0% Низкий | больше 10 лет назад |
| CVE-2015-3982 The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. | CVSS2: 5.8 | 0% Низкий | больше 10 лет назад |
| CVE-2015-2317 The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. | CVSS2: 4.3 | 5% Низкий | больше 10 лет назад |
| CVE-2015-2317 The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1. ... | CVSS2: 4.3 | 5% Низкий | больше 10 лет назад |
| CVE-2015-2316 The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. | CVSS2: 5 | 2% Низкий | больше 10 лет назад |
| CVE-2015-2316 The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7. ... | CVSS2: 5 | 2% Низкий | больше 10 лет назад |
| CVE-2015-2316 The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. | CVSS2: 5 | 2% Низкий | больше 10 лет назад |
Уязвимостей на страницу