CVSS: 6.1EPSS: 2%CPEs: 3EXPL: 0CVE-2019-12308 – Debian Security Advisory 4476-1
https://notcve.org/view.php?id=CVE-2019-12308
03 Jun 2019 — An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. Se descubrió un problema en Django 1.11 antes de 1.11.21, 2.1 anterior de la versión 2.1.9 y 2.2 anterior de la versión 2.2.2. El va... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0CVE-2019-6975 – Ubuntu Security Notice USN-3890-1
https://notcve.org/view.php?id=CVE-2019-6975
11 Feb 2019 — Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. Django, en versiones 1.11.x anteriores a la 1.11.19, versiones 2.0.x anteriores a la 2.0.11 y versiones 2.1.x anteriores a la 2.1.6, permite el consumo incontrolado de memoria mediante un valor malicioso proporcionado por el atacante a la función django.utils.numberformat.format(). Three security issues we... • http://www.securityfocus.com/bid/106964 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2019-3498 – Ubuntu Security Notice USN-3851-1
https://notcve.org/view.php?id=CVE-2019-3498
08 Jan 2019 — In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. En Django, en versiones 1.11.x anteriores a la 1.11.18, versiones 2.0.x anteriores a la 2.0.10 y 2.1.x anteriores a la 2.1.5, existe una neutralización incorrecta de ele... • http://www.securityfocus.com/bid/106453 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-14574 – django: Open redirect possibility in CommonMiddleware
https://notcve.org/view.php?id=CVE-2018-14574
01 Aug 2018 — django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. django.middleware.common.CommonMiddleware en Django en versiones 1.11.x anteriores a la 1.11.15 y versiones 2.0.x anteriores a la 2.0.8 tiene una redirección abierta. When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect. Red Hat Gluster Stor... • http://www.securityfocus.com/bid/104970 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 0CVE-2018-7536 – django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'
https://notcve.org/view.php?id=CVE-2018-7536
06 Mar 2018 — An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. Se ha descubierto un problema en Django, en versiones 2.0 anteriores a la 2.0.3; versiones... • http://www.securityfocus.com/bid/103361 • CWE-185: Incorrect Regular Expression CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2018-7537 – django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html'
https://notcve.org/view.php?id=CVE-2018-7537
06 Mar 2018 — An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. Se ha descubierto un problema en Django, en ver... • http://www.securityfocus.com/bid/103357 • CWE-185: Incorrect Regular Expression CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-6188 – django: Information leakage in AuthenticationForm
https://notcve.org/view.php?id=CVE-2018-6188
05 Feb 2018 — django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. django.contrib.auth.forms.AuthenticationForm en Django 2.0 anterior a 2.0.2 y 1.11.8 y 1.11.9 permte que atacantes remotos obtengan información potencialmente sensible aprovechando la exposición de datos del méto... • http://www.securitytracker.com/id/1040422 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •