Djangoproject

Django

128 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
3.1

CVE-2016-2513

  • EPSS 1.09%
  • Veröffentlicht 08.04.2016 15:59:07
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

7.4

CVE-2016-2512

  • EPSS 0.46%
  • Veröffentlicht 08.04.2016 15:59:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containi...

6

CVE-2016-2048

  • EPSS 0.14%
  • Veröffentlicht 08.02.2016 19:59:05
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" pe...

5

CVE-2015-8213

  • EPSS 2.17%
  • Veröffentlicht 07.12.2015 20:59:17
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setti...

5

CVE-2015-5964

  • EPSS 4.37%
  • Veröffentlicht 24.08.2015 14:59:09
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote...

5

CVE-2015-5963

  • EPSS 5.34%
  • Veröffentlicht 24.08.2015 14:59:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record remova...

7.8

CVE-2015-5145

  • EPSS 1.43%
  • Veröffentlicht 14.07.2015 17:59:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

4.3

CVE-2015-5144

  • EPSS 2.24%
  • Veröffentlicht 14.07.2015 17:59:07
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character ...

7.8

CVE-2015-5143

  • EPSS 15.81%
  • Veröffentlicht 14.07.2015 17:59:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

5

CVE-2015-3982

  • EPSS 0.32%
  • Veröffentlicht 02.06.2015 14:59:10
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.