- EPSS 6.78%
- Veröffentlicht 16.01.2015 16:59:18
- Zuletzt bearbeitet 06.05.2026 22:30:45
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
CVE-2014-0480
- EPSS 2.28%
- Veröffentlicht 26.08.2014 14:55:05
- Zuletzt bearbeitet 06.05.2026 22:30:45
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slas...
CVE-2014-0481
- EPSS 2.45%
- Veröffentlicht 26.08.2014 14:55:05
- Zuletzt bearbeitet 06.05.2026 22:30:45
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is up...
- EPSS 1.96%
- Veröffentlicht 26.08.2014 14:55:05
- Zuletzt bearbeitet 06.05.2026 22:30:45
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticat...
CVE-2014-0483
- EPSS 1.98%
- Veröffentlicht 26.08.2014 14:55:05
- Zuletzt bearbeitet 06.05.2026 22:30:45
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated use...
CVE-2014-3730
- EPSS 3.12%
- Veröffentlicht 16.05.2014 15:55:05
- Zuletzt bearbeitet 06.05.2026 22:30:45
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as de...
CVE-2014-1418
- EPSS 2.55%
- Veröffentlicht 16.05.2014 15:55:04
- Zuletzt bearbeitet 06.05.2026 22:30:45
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the ca...
- EPSS 1.99%
- Veröffentlicht 23.04.2014 15:55:03
- Zuletzt bearbeitet 06.05.2026 22:30:45
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie...
- EPSS 4.75%
- Veröffentlicht 23.04.2014 15:55:03
- Zuletzt bearbeitet 06.05.2026 22:30:45
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote att...
CVE-2014-0472
- EPSS 5.65%
- Veröffentlicht 23.04.2014 15:55:02
- Zuletzt bearbeitet 06.05.2026 22:30:45
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URL...