CVE-2013-6044
- EPSS 2.3%
- Veröffentlicht 04.10.2013 17:55:10
- Zuletzt bearbeitet 29.04.2026 01:13:23
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities...
CVE-2013-4249
- EPSS 2.88%
- Veröffentlicht 04.10.2013 17:55:09
- Zuletzt bearbeitet 29.04.2026 01:13:23
Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
- EPSS 2.66%
- Veröffentlicht 23.09.2013 20:55:07
- Zuletzt bearbeitet 29.04.2026 01:13:23
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
- EPSS 3.18%
- Veröffentlicht 16.09.2013 19:14:39
- Zuletzt bearbeitet 29.04.2026 01:13:23
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi t...
- EPSS 1.81%
- Veröffentlicht 02.05.2013 14:55:05
- Zuletzt bearbeitet 29.04.2026 01:13:23
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history in...
- EPSS 2.57%
- Veröffentlicht 02.05.2013 14:55:05
- Zuletzt bearbeitet 29.04.2026 01:13:23
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors ...
CVE-2012-4520
- EPSS 3.64%
- Veröffentlicht 18.11.2012 23:55:01
- Zuletzt bearbeitet 16.06.2026 23:45:15
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
- EPSS 2.64%
- Veröffentlicht 31.07.2012 17:55:04
- Zuletzt bearbeitet 16.06.2026 23:43:13
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploadin...
- EPSS 1.77%
- Veröffentlicht 31.07.2012 17:55:04
- Zuletzt bearbeitet 16.06.2026 23:43:14
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (proces...
CVE-2012-3442
- EPSS 2.07%
- Veröffentlicht 31.07.2012 17:55:01
- Zuletzt bearbeitet 16.06.2026 23:43:13
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site...