Djangoproject

Django

123 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2022-34265

  • EPSS 92.73%
  • Veröffentlicht 04.07.2022 16:15:09
  • Zuletzt bearbeitet 21.11.2024 07:09:10

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and...

9.8

CVE-2022-28347

  • EPSS 1.52%
  • Veröffentlicht 12.04.2022 05:15:07
  • Zuletzt bearbeitet 21.11.2024 06:57:11

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the inject...

9.8

CVE-2022-28346

  • EPSS 5.86%
  • Veröffentlicht 12.04.2022 05:15:06
  • Zuletzt bearbeitet 21.11.2024 06:57:11

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as...

6.1

CVE-2022-22818

Exploit
  • EPSS 1.11%
  • Veröffentlicht 03.02.2022 02:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:30

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

7.5

CVE-2022-23833

  • EPSS 0.62%
  • Veröffentlicht 03.02.2022 02:15:07
  • Zuletzt bearbeitet 21.11.2024 06:49:20

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

7.5

CVE-2021-45115

  • EPSS 0.28%
  • Veröffentlicht 05.01.2022 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:31:59

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison ...

7.5

CVE-2021-45116

  • EPSS 0.19%
  • Veröffentlicht 05.01.2022 00:15:07
  • Zuletzt bearbeitet 22.05.2025 19:15:27

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosur...

5.3

CVE-2021-45452

  • EPSS 0.25%
  • Veröffentlicht 05.01.2022 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:32:14

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

7.5

CVE-2021-44420

  • EPSS 0.13%
  • Veröffentlicht 08.12.2021 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:30:56

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

9.8

CVE-2021-35042

  • EPSS 6.96%
  • Veröffentlicht 02.07.2021 10:15:07
  • Zuletzt bearbeitet 21.11.2024 06:11:43

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.