Page 18 of 106 results (0.009 seconds)

CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. Vulnerabilidad de recorrido de directorios en Django 1.4.x anterior a 1.4.7, 1.5.x anterior a 1.5.3, y 1.6.x anterior a 1.6 beta 3 permite a atacantes remotos leer ficheros arbitrarios a través de una ruta de fichero en la opción ALLOWED_INCLUDE_ROOTS en una etiqueta de plantilla ssi • http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html http://rhn.redhat.com/errata/RHSA-2013-1521.html http://secunia.com/advisories/54772 http://secunia.com/advisories/54828 http://www.debian.org/security/2013/dsa-2755 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued https://access.redhat.com/security/cve/CVE-2013-4315 https://bugzilla.redhat.com/show_bug.cgi?id=1004969 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2

Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. Vulnerabilidad de XSS en el widget AdminURLFieldWidget en contrib/admin/widgets.py de Django 1.5.x anterior a la versión 1.5.2 y 1.6.x anterior a 1.6 beta 2 permite a atacantes remotos inyectar script web arbitrario o HTML a través de una URLField. • http://seclists.org/oss-sec/2013/q3/369 http://seclists.org/oss-sec/2013/q3/411 http://secunia.com/advisories/54476 http://www.securitytracker.com/id/1028915 https://exchange.xforce.ibmcloud.com/vulnerabilities/86438 https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78 https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560 https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. Vulnerabilidad sin especificar en el formulario "library" en Django v1.3.x antes de v1.3.6, v1.4.x antes de v1.4.4, v1.5 antes de release candidate v2 permite a atacantes remotos evitar las restricciones de los recursos y causar una denegación de servicios (consumo de memoria) o disparar errores del servidor a través de un parámetro max_num modificado. • http://rhn.redhat.com/errata/RHSA-2013-0670.html http://ubuntu.com/usn/usn-1757-1 http://www.debian.org/security/2013/dsa-2634 https://www.djangoproject.com/weblog/2013/feb/19/security https://access.redhat.com/security/cve/CVE-2013-0306 https://bugzilla.redhat.com/show_bug.cgi?id=913042 • CWE-189: Numeric Errors •

CVSS: 4.0EPSS: 0%CPEs: 17EXPL: 0

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. La interfaz administrativa para Django v1.3.x antes de v1.3.6, v1.4.x antes de v1.4.4, y v1.5 antes de la release candidate v2 no comprueba los permisos para la vista del historial, que permite a usuarios administradores autenticados obtener información del historial. • http://rhn.redhat.com/errata/RHSA-2013-0670.html http://ubuntu.com/usn/usn-1757-1 http://www.debian.org/security/2013/dsa-2634 https://www.djangoproject.com/weblog/2013/feb/19/security https://access.redhat.com/security/cve/CVE-2013-0305 https://bugzilla.redhat.com/show_bug.cgi?id=913041 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values. La función django.http.HttpRequest.get_host en Django v1.3.x antes de v1.3.4 y v1.4.x antes de v1.4.2, permite a atacantes remotos generar y mostrar URLs de su elección a través de nombre de usuario y contraseña de la cabecera Host manipulados. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html http://secunia.com/advisories/51033 http://secunia.com/advisories/51314 http://securitytracker.com/id?1027708 http://ubuntu.com/usn/usn-1632-1 http://ubuntu.com/usn/usn-1757-1 http:/&#x • CWE-20: Improper Input Validation •