Djangoproject

Django

153 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 2.3%
  • Veröffentlicht 04.10.2013 17:55:10
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities...

Exploit
  • EPSS 2.88%
  • Veröffentlicht 04.10.2013 17:55:09
  • Zuletzt bearbeitet 29.04.2026 01:13:23

Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.

  • EPSS 2.66%
  • Veröffentlicht 23.09.2013 20:55:07
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.

  • EPSS 3.18%
  • Veröffentlicht 16.09.2013 19:14:39
  • Zuletzt bearbeitet 29.04.2026 01:13:23

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi t...

  • EPSS 1.81%
  • Veröffentlicht 02.05.2013 14:55:05
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history in...

  • EPSS 2.57%
  • Veröffentlicht 02.05.2013 14:55:05
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors ...

  • EPSS 3.64%
  • Veröffentlicht 18.11.2012 23:55:01
  • Zuletzt bearbeitet 16.06.2026 23:45:15

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

  • EPSS 2.64%
  • Veröffentlicht 31.07.2012 17:55:04
  • Zuletzt bearbeitet 16.06.2026 23:43:13

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploadin...

  • EPSS 1.77%
  • Veröffentlicht 31.07.2012 17:55:04
  • Zuletzt bearbeitet 16.06.2026 23:43:14

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (proces...

  • EPSS 2.07%
  • Veröffentlicht 31.07.2012 17:55:01
  • Zuletzt bearbeitet 16.06.2026 23:43:13

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site...