| CVE-2014-0474 |
critical |
— |
10.0 |
|
|
|
12y ago |
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not proper… |
| CVE-2016-9013 |
critical |
9.8 |
9.8 |
|
|
|
10y ago |
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it eas… |
| CVE-2019-19844 |
high |
— |
9.0 |
|
|
|
7y ago |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of… |
| CVE-2016-9014 |
high |
8.1 |
8.1 |
|
|
|
4y ago |
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validat… |
| CVE-2023-36053 |
high |
— |
8.0 |
|
|
|
3y ago |
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large num… |
| CVE-2023-31047 |
high |
— |
8.0 |
|
|
|
3y ago |
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been suppo… |
| CVE-2023-24580 |
high |
— |
8.0 |
|
|
|
3y ago |
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart … |
| CVE-2023-23969 |
high |
— |
8.0 |
|
|
|
3y ago |
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-… |
| CVE-2022-41323 |
high |
— |
8.0 |
|
|
|
4y ago |
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regula… |
| CVE-2022-34265 |
high |
— |
8.0 |
|
|
|
4y ago |
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name val… |
| CVE-2021-35042 |
high |
— |
8.0 |
|
|
|
5y ago |
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. |
| CVE-2020-9402 |
high |
— |
8.0 |
|
|
|
6y ago |
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a sui… |
| CVE-2019-12781 |
high |
— |
8.0 |
|
|
|
7y ago |
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT set… |
| CVE-2015-5145 |
high |
— |
7.8 |
|
|
|
11y ago |
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. |
| CVE-2015-5143 |
high |
— |
7.8 |
|
|
|
11y ago |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via mult… |
| CVE-2011-0698 |
high |
— |
7.5 |
|
|
|
8y ago |
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session … |
| CVE-2016-7401 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting … |
| CVE-2016-2512 |
high |
7.4 |
7.4 |
|
|
|
10y ago |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cr… |
| CVE-2016-6186 |
medium |
6.1 |
7.1 |
|
|
|
10y ago |
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, an… |
| CVE-2011-0696 |
medium |
— |
6.8 |
|
|
|
8y ago |
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site req… |
| CVE-2011-4140 |
medium |
— |
6.8 |
|
|
|
15y ago |
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers … |
| CVE-2026-35192 |
medium |
6.5 |
6.5 |
|
|
|
29d ago |
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker … |
| CVE-2012-4520 |
medium |
— |
6.4 |
|
|
|
4y ago |
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host… |
| CVE-2014-1418 |
medium |
— |
6.4 |
|
|
|
12y ago |
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attacke… |
| CVE-2017-7233 |
medium |
6.1 |
6.1 |
|
|
|
8y ago |
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``dj… |
| CVE-2017-12794 |
medium |
6.1 |
6.1 |
|
|
|
9y ago |
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cr… |
| CVE-2017-7234 |
medium |
6.1 |
6.1 |
|
|
|
9y ago |
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an ope… |
| CVE-2014-0482 |
medium |
— |
6.0 |
|
|
|
4y ago |
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.R… |
| CVE-2014-0480 |
medium |
— |
5.8 |
|
|
|
12y ago |
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attacke… |
| CVE-2011-4136 |
medium |
— |
5.8 |
|
|
|
15y ago |
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which … |
| CVE-2025-32873 |
medium |
— |
5.5 |
|
|
|
1y ago |
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performan… |
| CVE-2016-2048 |
medium |
5.5 |
5.5 |
|
|
|
4y ago |
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option … |
| CVE-2022-28346 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via … |
| CVE-2022-28347 |
medium |
— |
5.5 |
|
|
|
4y ago |
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion… |
| CVE-2022-22818 |
medium |
— |
5.5 |
|
|
|
4y ago |
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. |
| CVE-2022-23833 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsin… |
| CVE-2021-45116 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter … |
| CVE-2021-45452 |
medium |
— |
5.5 |
|
|
|
4y ago |
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. |
| CVE-2021-45115 |
medium |
— |
5.5 |
|
|
|
4y ago |
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that wa… |
| CVE-2021-44420 |
medium |
— |
5.5 |
|
|
|
5y ago |
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. |
| CVE-2021-33571 |
medium |
— |
5.5 |
|
|
|
5y ago |
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This m… |
| CVE-2021-33203 |
medium |
— |
5.5 |
|
|
|
5y ago |
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the exis… |
| CVE-2021-32052 |
medium |
— |
5.5 |
|
|
|
5y ago |
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application… |
| CVE-2020-24583 |
medium |
— |
5.5 |
|
|
|
5y ago |
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level d… |
| CVE-2020-24584 |
medium |
— |
5.5 |
|
|
|
5y ago |
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's st… |
| CVE-2020-13596 |
medium |
— |
5.5 |
|
|
|
6y ago |
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility … |
| CVE-2020-13254 |
medium |
— |
5.5 |
|
|
|
6y ago |
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collis… |
| CVE-2020-7471 |
medium |
— |
5.5 |
|
|
|
6y ago |
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data … |
| CVE-2019-14234 |
medium |
— |
5.5 |
|
|
|
7y ago |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.… |
| CVE-2019-14233 |
medium |
— |
5.5 |
|
|
|
7y ago |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremel… |
| CVE-2019-14235 |
medium |
— |
5.5 |
|
|
|
7y ago |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage… |
| CVE-2019-14232 |
medium |
— |
5.5 |
|
|
|
7y ago |
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, … |
| CVE-2019-12308 |
medium |
— |
5.5 |
|
|
|
7y ago |
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without… |
| CVE-2019-6975 |
medium |
— |
5.5 |
|
|
|
7y ago |
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() func… |
| CVE-2019-3498 |
medium |
— |
5.5 |
|
|
|
8y ago |
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defa… |
| CVE-2018-7536 |
medium |
— |
5.5 |
|
|
|
8y ago |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastroph… |
| CVE-2018-7537 |
medium |
— |
5.5 |
|
|
|
8y ago |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they w… |
| CVE-2018-14574 |
medium |
— |
5.5 |
|
|
|
8y ago |
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. |
| CVE-2018-6188 |
medium |
— |
5.5 |
|
|
|
8y ago |
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from th… |
| CVE-2018-16984 |
medium |
— |
5.5 |
|
|
|
8y ago |
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display a… |
| CVE-2026-6907 |
medium |
5.3 |
5.3 |
|
|
|
29d ago |
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). T… |
| CVE-2026-5766 |
medium |
5.3 |
5.3 |
|
|
|
29d ago |
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially … |
| CVE-2014-0472 |
medium |
— |
5.1 |
|
|
|
12y ago |
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Pyth… |
| CVE-2012-3443 |
medium |
— |
5.0 |
|
|
|
4y ago |
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a… |
| CVE-2012-3444 |
medium |
— |
5.0 |
|
|
|
4y ago |
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows re… |
| CVE-2013-1443 |
medium |
— |
5.0 |
|
|
|
4y ago |
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption)… |
| CVE-2015-3982 |
medium |
— |
5.0 |
|
|
|
4y ago |
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the … |
| CVE-2015-8213 |
medium |
— |
5.0 |
|
|
|
4y ago |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via … |
| CVE-2015-0219 |
medium |
— |
5.0 |
|
|
|
4y ago |
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header,… |
| CVE-2015-0222 |
medium |
— |
5.0 |
|
|
|
4y ago |
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate va… |
| CVE-2011-4137 |
medium |
— |
5.0 |
|
|
|
8y ago |
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which … |
| CVE-2015-5964 |
medium |
— |
5.0 |
|
|
|
11y ago |
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty ses… |
| CVE-2015-5963 |
medium |
— |
5.0 |
|
|
|
11y ago |
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service … |
| CVE-2015-2316 |
medium |
— |
5.0 |
|
|
|
11y ago |
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of servi… |
| CVE-2015-0221 |
medium |
— |
5.0 |
|
|
|
12y ago |
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of servic… |
| CVE-2014-0473 |
medium |
— |
5.0 |
|
|
|
12y ago |
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to… |
| CVE-2013-4315 |
medium |
— |
5.0 |
|
|
|
13y ago |
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_… |
| CVE-2013-0306 |
medium |
— |
5.0 |
|
|
|
13y ago |
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of ser… |
| CVE-2013-1665 |
medium |
— |
5.0 |
|
|
|
13y ago |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via a… |
| CVE-2013-1664 |
medium |
— |
5.0 |
|
|
|
13y ago |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other pro… |
| CVE-2011-4139 |
medium |
— |
5.0 |
|
|
|
15y ago |
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a c… |
| CVE-2011-4138 |
medium |
— |
5.0 |
|
|
|
15y ago |
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for … |
| CVE-2010-4535 |
medium |
— |
5.0 |
|
|
|
16y ago |
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestam… |
| CVE-2015-2241 |
medium |
— |
4.3 |
|
|
|
4y ago |
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a … |
| CVE-2013-4249 |
medium |
— |
4.3 |
|
|
|
4y ago |
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbit… |
| CVE-2015-2317 |
medium |
— |
4.3 |
|
|
|
4y ago |
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to c… |
| CVE-2014-0481 |
medium |
— |
4.3 |
|
|
|
4y ago |
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generatio… |
| CVE-2015-5144 |
medium |
— |
4.3 |
|
|
|
11y ago |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP … |
| CVE-2015-0220 |
medium |
— |
4.3 |
|
|
|
12y ago |
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct c… |
| CVE-2014-3730 |
medium |
— |
4.3 |
|
|
|
12y ago |
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to condu… |
| CVE-2013-6044 |
medium |
— |
4.3 |
|
|
|
13y ago |
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce … |
| CVE-2011-0697 |
medium |
— |
4.3 |
|
|
|
16y ago |
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file … |
| CVE-2010-3082 |
medium |
— |
4.3 |
|
|
|
16y ago |
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. |
| CVE-2013-0305 |
medium |
— |
4.0 |
|
|
|
13y ago |
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated a… |
| CVE-2010-4534 |
medium |
— |
4.0 |
|
|
|
16y ago |
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain obje… |
| CVE-2019-11358 |
low |
— |
3.5 |
|
|
|
7y ago |
RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) |
| CVE-2014-0483 |
low |
— |
3.5 |
|
|
|
12y ago |
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship be… |
| CVE-2016-2513 |
low |
3.1 |
3.1 |
|
|
|
10y ago |
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
| CVE-2025-48432 |
low |
— |
2.5 |
|
|
|
1y ago |
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially… |
| CVE-2021-31542 |
low |
— |
2.5 |
|
|
|
5y ago |
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. |
