CVSS: 4.3EPSS: 0%CPEs: 53EXPL: 0CVE-2015-2317 – Ubuntu Security Notice USN-2539-1
https://notcve.org/view.php?id=CVE-2015-2317
23 Mar 2015 — The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. La función utils.http.is_safe_url en Django anterior a 1.4.20, 1.5.x, 1.6.x anterior a 1.6.11, 1.7.x anterior a 1.7.7, y 1.8.x anterior a 1.8c1 no valida correctamente las URLs, lo que permite a ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2015-2241 – Mandriva Linux Security Advisory 2015-109
https://notcve.org/view.php?id=CVE-2015-2241
12 Mar 2015 — Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property. Vulnerabilidad de XSS en la función de contenidos en admin/helpers.py en Django anterior a 1.7.6 y 1.8 anterior a 1.8b2 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de un atributo de mode... • http://www.mandriva.com/security/advisories?name=MDVSA-2015:109 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 1CVE-2015-0220 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0220
14 Jan 2015 — The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. La función django.util.http.is_safe_url en Django anterior a 1.4.18, 1.6.x anterior a 1.6.10, y 1.7.x anterior a 1.7.3 no maneja correctamente los espacios en blanco líder, lo que permite a at... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 14EXPL: 1CVE-2015-0219 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0219
14 Jan 2015 — Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. Django anterior a 1.4.18, 1.6.x anterior a 1.6.10, y 1.7.x anterior a 1.7.3 permite a atacantes remotos falsificar cabeceras WSGI mediante el uso de un caracter _ (guión bajo) en lugar de un caracter - (guión) en una cabecera HTTP, tal y como fue demostrado por una cabe... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-17: DEPRECATED: Code •
CVSS: 5.3EPSS: 9%CPEs: 18EXPL: 1CVE-2015-0221 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0221
14 Jan 2015 — The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. La visualización django.views.static.serve en Django anterior a 1.4.18, 1.6.x anterior a 1.6.10, y 1.7.x anterior a 1.7.3 lee ficheros por líneas enteras, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de una lí... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 2%CPEs: 18EXPL: 0CVE-2015-0222 – Ubuntu Security Notice USN-2469-1
https://notcve.org/view.php?id=CVE-2015-0222
14 Jan 2015 — ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. ModelMultipleChoiceField en Django 1.6.x anterior a 1.6.10 y 1.7.x anterior a 1.7.3, cuando show_hidden_initial está configurado a 'True', permite a atacantes remotos causar una denegación de servicio mediante la presentación de valores duplicados, lo que provo... • http://advisories.mageia.org/MGASA-2015-0026.html • CWE-17: DEPRECATED: Code •
CVSS: 5.8EPSS: 0%CPEs: 42EXPL: 0CVE-2014-0480 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0480
25 Aug 2014 — The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. La función core.urlresolvers.reverse en Django anterior a 1.4.14, 1.5.x anterior a 1.5.9, 1.6.x anterior a 1.6.6, y 1.7 anterior a release candidate 3 no valida debidamente las URLs, lo que permi... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-20: Improper Input Validation •
CVSS: 3.5EPSS: 0%CPEs: 42EXPL: 1CVE-2014-0483 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0483
25 Aug 2014 — The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. La interfaz administrativa (contrib.admin) en Django anterior a 1.4.14, 1.5.x anterior a 1.5.... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 3%CPEs: 43EXPL: 0CVE-2014-0481 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0481
25 Aug 2014 — The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. La configuración por defecto para el sistema del manejo de la subida de ficheros en Django anterior a 1.4.14, 1.5.x anterior a ... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-399: Resource Management Errors •
CVSS: 6.0EPSS: 0%CPEs: 42EXPL: 0CVE-2014-0482 – Mandriva Linux Security Advisory 2014-179
https://notcve.org/view.php?id=CVE-2014-0482
25 Aug 2014 — The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. El middleware contrib.auth.middleware.RemoteUserMiddleware en Django anterior a 1.4.14, 1.5.x anterior a 1.5.9, 1.6.x anterior a 1.6.6, y 1.7 anterior a release candidate 3, cuando ut... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-287: Improper Authentication •