Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC

Релизный цикл, информация об уязвимостях

Продукт: Django

Вендор: djangoproject

График релизов

Недавние уязвимости Django

Количество 751

CVE-2015-0219

около 11 лет назад

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allo ...

CVSS2: 5

EPSS: Низкий

CVE-2015-0220

около 11 лет назад

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.

CVSS2: 4.3

EPSS: Низкий

CVE-2015-0219

около 11 лет назад

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

CVSS2: 5

EPSS: Низкий

CVE-2015-0221

около 11 лет назад

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

CVSS2: 5

EPSS: Низкий

CVE-2015-0222

около 11 лет назад

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

CVSS2: 5

EPSS: Низкий

CVE-2015-0222

около 11 лет назад

CVSS2: 4.3

EPSS: Низкий

CVE-2015-0219

около 11 лет назад

CVSS2: 5.8

EPSS: Низкий

CVE-2015-0220

около 11 лет назад

CVSS2: 4.3

EPSS: Низкий

CVE-2015-0221

около 11 лет назад

CVSS2: 4.3

EPSS: Низкий

CVE-2014-0483

больше 11 лет назад

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

CVSS2: 3.5

EPSS: Низкий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2015-0219 Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allo ...	CVSS2: 5	3% Низкий	около 11 лет назад
CVE-2015-0220 The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.	CVSS2: 4.3	3% Низкий	около 11 лет назад
CVE-2015-0219 Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.	CVSS2: 5	3% Низкий	около 11 лет назад
CVE-2015-0221 The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.	CVSS2: 5	9% Низкий	около 11 лет назад
CVE-2015-0222 ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.	CVSS2: 5	6% Низкий	около 11 лет назад
CVE-2015-0222 ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.	CVSS2: 4.3	6% Низкий	около 11 лет назад
CVE-2015-0219 Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.	CVSS2: 5.8	3% Низкий	около 11 лет назад
CVE-2015-0220 The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.	CVSS2: 4.3	3% Низкий	около 11 лет назад
CVE-2015-0221 The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.	CVSS2: 4.3	9% Низкий	около 11 лет назад
CVE-2014-0483 The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.	CVSS2: 3.5	0% Низкий	больше 11 лет назад

Уязвимостей на страницу