Djangoproject

Django

123 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5

CVE-2015-5963

  • EPSS 5.34%
  • Veröffentlicht 24.08.2015 14:59:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record remova...

7.8

CVE-2015-5145

  • EPSS 1.94%
  • Veröffentlicht 14.07.2015 17:59:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

4.3

CVE-2015-5144

  • EPSS 2.24%
  • Veröffentlicht 14.07.2015 17:59:07
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character ...

7.8

CVE-2015-5143

  • EPSS 15.81%
  • Veröffentlicht 14.07.2015 17:59:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

5

CVE-2015-3982

  • EPSS 0.32%
  • Veröffentlicht 02.06.2015 14:59:10
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

4.3

CVE-2015-2317

  • EPSS 4.67%
  • Veröffentlicht 25.03.2015 14:59:04
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a con...

5

CVE-2015-2316

  • EPSS 2%
  • Veröffentlicht 25.03.2015 14:59:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the ...

4.3

CVE-2015-2241

Exploit
  • EPSS 0.26%
  • Veröffentlicht 12.03.2015 14:59:05
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as d...

5

CVE-2015-0222

  • EPSS 6.2%
  • Veröffentlicht 16.01.2015 16:59:21
  • Zuletzt bearbeitet 12.04.2025 10:46:40

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

5

CVE-2015-0221

Exploit
  • EPSS 11.72%
  • Veröffentlicht 16.01.2015 16:59:20
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.