CVSS: 4.3EPSS: 2%CPEs: 18EXPL: 1CVE-2015-0220 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0220
14 Jan 2015 — The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. La función django.util.http.is_safe_url en Django anterior a 1.4.18, 1.6.x anterior a 1.6.10, y 1.7.x anterior a 1.7.3 no maneja correctamente los espacios en blanco líder, lo que permite a at... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 8%CPEs: 18EXPL: 1CVE-2015-0221 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0221
14 Jan 2015 — The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. La visualización django.views.static.serve en Django anterior a 1.4.18, 1.6.x anterior a 1.6.10, y 1.7.x anterior a 1.7.3 lee ficheros por líneas enteras, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de una lí... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 4%CPEs: 18EXPL: 0CVE-2015-0222 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0222
14 Jan 2015 — ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. ModelMultipleChoiceField en Django 1.6.x anterior a 1.6.10 y 1.7.x anterior a 1.7.3, cuando show_hidden_initial está configurado a 'True', permite a atacantes remotos causar una denegación de servicio mediante la presentación de valores duplicados, lo que provo... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-17: DEPRECATED: Code •
CVSS: 5.8EPSS: 0%CPEs: 42EXPL: 0CVE-2014-0480 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0480
25 Aug 2014 — The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. La función core.urlresolvers.reverse en Django anterior a 1.4.14, 1.5.x anterior a 1.5.9, 1.6.x anterior a 1.6.6, y 1.7 anterior a release candidate 3 no valida debidamente las URLs, lo que permi... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 43EXPL: 0CVE-2014-0481 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0481
25 Aug 2014 — The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. La configuración por defecto para el sistema del manejo de la subida de ficheros en Django anterior a 1.4.14, 1.5.x anterior a ... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-399: Resource Management Errors •
CVSS: 6.0EPSS: 0%CPEs: 42EXPL: 0CVE-2014-0482 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0482
25 Aug 2014 — The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. El middleware contrib.auth.middleware.RemoteUserMiddleware en Django anterior a 1.4.14, 1.5.x anterior a 1.5.9, 1.6.x anterior a 1.6.6, y 1.7 anterior a release candidate 3, cuando ut... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-287: Improper Authentication •
CVSS: 3.5EPSS: 0%CPEs: 42EXPL: 1CVE-2014-0483 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0483
25 Aug 2014 — The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. La interfaz administrativa (contrib.admin) en Django anterior a 1.4.14, 1.5.x anterior a 1.5.... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.6EPSS: 6%CPEs: 28EXPL: 1CVE-2014-0472 – python-django: unexpected code execution using reverse()
https://notcve.org/view.php?id=CVE-2014-0472
22 Apr 2014 — The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." La función django.core.urlresolvers.reverse en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a 1.6.3 y 1.7.x anterior a 1.7 beta 2 permite a atacantes remotos importar y ejecutar módulos Python ar... • https://github.com/christasa/CVE-2014-0472 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 28EXPL: 0CVE-2014-0473 – python-django: caching of anonymous pages could reveal CSRF token
https://notcve.org/view.php?id=CVE-2014-0473
22 Apr 2014 — The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. La plataforma de caché en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a 1.6.3 y 1.7.x anterior a 1.7 beta 2 reutiliza un token de CSRF en caché para todos los usuarios anónimos, lo que permite a atacantes remotos evadir... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-264: Permissions, Privileges, and Access Controls CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 5%CPEs: 28EXPL: 0CVE-2014-0474 – python-django: MySQL typecasting
https://notcve.org/view.php?id=CVE-2014-0474
22 Apr 2014 — The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." Las clases de campo de modelo (1) FilePathField, (2) GenericIPAddressField y (3) IPAddressField en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a1.6.3 y 1.7.x ante... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-399: Resource Management Errors •