Page 2 of 26 results (0.024 seconds)

CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. La función get_format en utils/formats.py en Django en versiones anteriores a 1.7.x en versiones anteriores a 1.7.11, 1.8.x en versiones anteriores a 1.8.7 y 1.9.x en versiones anteriores a 1.9rc2 puede permitir a atacantes remotos obtener secretos sensibles de aplicaciones a través de una clave de ajustes en lugar de un ajuste de formato de fecha/hora, según lo demostrado por SECRET_KEY. An information-exposure flaw was found in the Django date filter. If an application allowed users to provide non-validated date formats, a malicious end user could expose application-settings data by providing the relevant applications-settings key instead of a valid date format. • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html http://rhn.redhat.com/errata/RHSA-2016-0129.html http://rhn.redhat.com/errata/RHSA-2016-0156.html http://rhn.redhat.com/errata/RHSA-2016-0157.html http://rhn.redhat.com/errata/RHSA-2016-0158.h • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 2%CPEs: 43EXPL: 0

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. Vulnerabilidad en contrib.sessions.middleware.SessionMiddleware en Django 1.8.x en versiones anteriores a 1.8.4, 1.7.x en versiones anteriores a 1.7.10, 1.4.x en versiones anteriores a 1.4.22 y posiblemente otras versiones, permite a atacantes remotos causar una denegación de servicio (consumo de almacén de sesión o eliminación de registro de sesión) a través de un gran número de peticiones a contrib.auth.views.logout, lo que desencadena la creación de un registro de sesión vacío. It was found that Django incorrectly handled the session store. A session could be created by anonymously accessing the django.contrib.auth.views.logout view if it was not decorated correctly with django.contrib.auth.decorators.login_required. A remote attacker could use this flaw to fill up the session store or cause other users' session records to be evicted by requesting a large number of new sessions. • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html http://rhn.redhat.com/errata/RHSA-2015-1766.html http://rhn.redhat.com/errata/RHSA-2015-1767.html http://rhn.redhat.com/errata/RHSA-2015-1894.html http://www.debian.org/security/2015/dsa-3338 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http: • CWE-399: Resource Management Errors CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 5.0EPSS: 1%CPEs: 43EXPL: 0

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. Vulnerabilidad en las funciones (1) contrib.sessions.backends.base.SessionBase.flush y (2) cache_db.SessionStore.flush en Django 1.7.x en versiones anteriores a 1.7.10, 1.4.x en versiones anteriores a 1.4.22 y posiblemente en otras versiones, crea sesiones vacías en ciertas circunstancias, que permite a atacantes remotos causar una denegación de servicio (consumo de almacén de sesión) a través de vectores no especificados. It was found that certain Django functions would, in certain circumstances, create empty sessions. A remote attacker could use this flaw to fill up the session store or cause other users' session records to be evicted by requesting a large number of new sessions. • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html http://rhn.redhat.com/errata/RHSA-2015-1766.html http://rhn.redhat.com/errata/RHSA-2015-1767.html http://rhn.redhat.com/errata/RHSA-2015-1894.html http://www.debian.org/security/2015/dsa-3338 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.securityfocus.com/bid/76440 http://www.securitytracker.com/id/1033318 http://www.ubuntu.com/usn/USN-2720-1 https: • CWE-399: Resource Management Errors CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 4.3EPSS: 0%CPEs: 58EXPL: 0

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. Django antes de 1.4.21, de 1.5.x hasta 1.6.x, 1.7.x anteriores a 1.7.9 y 1.8.x anteriores a 1.8.3 utiliza una expresión regular incorrecta lo que permite a atacantes remotos inyectar cabeceras arbitrarias para realizar ataques de división de respuesta HTTP a través de un caracter de nueva línea en (1) mensaje de correo electrónico al EmailValidator, ( 2 ) una URL al URLValidator o vectores no especificados en el ( 3 ) validate_ipv4_address o (4 ) validador validate_slug. • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html http://www.debian.org/security/2015/dsa-3305 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.securityfocus.com/bid/75665 http://www.securitytracker.com/id/1032820 http://www.ubuntu.com/usn/USN-2671-1 https://security.gentoo.org/glsa/ • CWE-20: Improper Input Validation •

CVSS: 7.8EPSS: 13%CPEs: 57EXPL: 0

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. La sesión Backend en Django anteriores a 1.4.21, de 1.5.x hasta 1.6.x, 1.7.x anteriores a 1.7.9 y 1.8.x anteriores a 1.8.3, permite a un atacante causar una denegación de servicios mediante el consumo de almacenamiento de sesión a través de múltiples peticiones con una única clave de sesión. A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store. • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html http://rhn.redhat.com/errata/RHSA-2015-1678.html http://rhn.redhat.com/errata/RHSA-2015-1686.html http://www.debian.org/security/2015/dsa-3305 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.securityfocus.com/bid/75666 http://www.s • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •