Djangoproject

Django

128 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2021-45115

  • EPSS 0.42%
  • Veröffentlicht 05.01.2022 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:31:59

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison ...

7.5

CVE-2021-45116

  • EPSS 0.26%
  • Veröffentlicht 05.01.2022 00:15:07
  • Zuletzt bearbeitet 22.05.2025 19:15:27

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosur...

5.3

CVE-2021-45452

  • EPSS 0.34%
  • Veröffentlicht 05.01.2022 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:32:14

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

7.5

CVE-2021-44420

  • EPSS 0.14%
  • Veröffentlicht 08.12.2021 00:15:07
  • Zuletzt bearbeitet 21.11.2024 06:30:56

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

9.8

CVE-2021-35042

  • EPSS 14.96%
  • Veröffentlicht 02.07.2021 10:15:07
  • Zuletzt bearbeitet 21.11.2024 06:11:43

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

4.9

CVE-2021-33203

  • EPSS 0.33%
  • Veröffentlicht 08.06.2021 18:15:08
  • Zuletzt bearbeitet 21.11.2024 06:08:30

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and onl...

7.5

CVE-2021-33571

  • EPSS 0.02%
  • Veröffentlicht 08.06.2021 18:15:08
  • Zuletzt bearbeitet 21.11.2024 06:09:06

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based o...

6.1

CVE-2021-32052

  • EPSS 1.08%
  • Veröffentlicht 06.05.2021 16:15:07
  • Zuletzt bearbeitet 21.11.2024 06:06:46

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, hea...

7.5

CVE-2021-31542

  • EPSS 6.89%
  • Veröffentlicht 05.05.2021 15:15:08
  • Zuletzt bearbeitet 21.11.2024 06:05:52

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

5.3

CVE-2021-28658

  • EPSS 2.27%
  • Veröffentlicht 06.04.2021 15:15:13
  • Zuletzt bearbeitet 21.11.2024 06:00:02

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.