Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC
Релизный цикл, информация об уязвимостях
График релизов
Количество 673
CVE-2012-3442
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
CVE-2012-3442
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpRespo ...
CVE-2012-3444
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
CVE-2012-3442
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
CVE-2012-3443
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
CVE-2011-4140
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE-2011-4140
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x throug ...
CVE-2011-4139
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
CVE-2011-4139
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host ...
CVE-2011-4138
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2012-3442 The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. | CVSS2: 4.3 | 0% Низкий | почти 13 лет назад |
| CVE-2012-3442 The (1) django.http.HttpResponseRedirect and (2) django.http.HttpRespo ... | CVSS2: 4.3 | 0% Низкий | почти 13 лет назад |
 | CVE-2012-3444 The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. | CVSS2: 5 | 1% Низкий | почти 13 лет назад |
| CVE-2012-3442 The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. | CVSS2: 4.3 | 0% Низкий | почти 13 лет назад |
| CVE-2012-3443 The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. | CVSS2: 5 | 1% Низкий | почти 13 лет назад |
| CVE-2011-4140 The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code. | CVSS2: 6.8 | 0% Низкий | больше 13 лет назад |
| CVE-2011-4140 The CSRF protection mechanism in Django through 1.2.7 and 1.3.x throug ... | CVSS2: 6.8 | 0% Низкий | больше 13 лет назад |
| CVE-2011-4139 Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request. | CVSS2: 5 | 1% Низкий | больше 13 лет назад |
| CVE-2011-4139 Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host ... | CVSS2: 5 | 1% Низкий | больше 13 лет назад |
| CVE-2011-4138 The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header. | CVSS2: 5 | 1% Низкий | больше 13 лет назад |
Уязвимостей на страницу