Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC
Релизный цикл, информация об уязвимостях
График релизов
Количество 678
CVE-2011-4138
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
CVE-2011-4136
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE-2011-4139
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
CVE-2011-0698
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE-2011-0698
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2 ...
CVE-2011-0697
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE-2011-0697
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 ...
CVE-2011-0696
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE-2011-0696
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly val ...
CVE-2011-0697
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2011-4138 The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header. | CVSS2: 5 | 1% Низкий | почти 14 лет назад |
| CVE-2011-4136 django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. | CVSS2: 5.8 | 1% Низкий | почти 14 лет назад |
| CVE-2011-4139 Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request. | CVSS2: 5 | 1% Низкий | почти 14 лет назад |
 | CVE-2011-0698 Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. | CVSS2: 7.5 | 1% Низкий | больше 14 лет назад |
| CVE-2011-0698 Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2 ... | CVSS2: 7.5 | 1% Низкий | больше 14 лет назад |
| CVE-2011-0697 Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. | CVSS2: 4.3 | 3% Низкий | больше 14 лет назад |
| CVE-2011-0697 Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 ... | CVSS2: 4.3 | 3% Низкий | больше 14 лет назад |
| CVE-2011-0696 Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447. | CVSS2: 6.8 | 3% Низкий | больше 14 лет назад |
| CVE-2011-0696 Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly val ... | CVSS2: 6.8 | 3% Низкий | больше 14 лет назад |
| CVE-2011-0697 Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. | CVSS2: 4.3 | 3% Низкий | больше 14 лет назад |
Уязвимостей на страницу