Djangoproject

Django

123 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2022-34265

  • EPSS 92.73%
  • Published 04.07.2022 16:15:09
  • Last modified 21.11.2024 07:09:10

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and...

9.8

CVE-2022-28347

  • EPSS 1.52%
  • Published 12.04.2022 05:15:07
  • Last modified 21.11.2024 06:57:11

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the inject...

9.8

CVE-2022-28346

  • EPSS 5.86%
  • Published 12.04.2022 05:15:06
  • Last modified 21.11.2024 06:57:11

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as...

6.1

CVE-2022-22818

Exploit
  • EPSS 1.11%
  • Published 03.02.2022 02:15:07
  • Last modified 21.11.2024 06:47:30

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

7.5

CVE-2022-23833

  • EPSS 0.62%
  • Published 03.02.2022 02:15:07
  • Last modified 21.11.2024 06:49:20

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

7.5

CVE-2021-45115

  • EPSS 0.35%
  • Published 05.01.2022 00:15:07
  • Last modified 21.11.2024 06:31:59

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison ...

7.5

CVE-2021-45116

  • EPSS 0.19%
  • Published 05.01.2022 00:15:07
  • Last modified 22.05.2025 19:15:27

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosur...

5.3

CVE-2021-45452

  • EPSS 0.25%
  • Published 05.01.2022 00:15:07
  • Last modified 21.11.2024 06:32:14

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

7.5

CVE-2021-44420

  • EPSS 0.13%
  • Published 08.12.2021 00:15:07
  • Last modified 21.11.2024 06:30:56

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

9.8

CVE-2021-35042

  • EPSS 6.96%
  • Published 02.07.2021 10:15:07
  • Last modified 21.11.2024 06:11:43

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.