Page 21 of 103 results (0.005 seconds)

CVSS: 4.0EPSS: 0%CPEs: 16EXPL: 3

CVE-2010-4534

https://notcve.org/view.php?id=CVE-2010-4534

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. El interfaz de administración de django.contrib.admin de Django en versiones anteriores a 1.1.3, 1.2.x anteriores a 1.2.4, y 1.3.x anteriores a 1.3 beta 1 no restringen apropiadamente el uso de la cadena de consulta para realizar filtrado de objetos. Lo que permite a usuarios autenticados remotos obtener información confidencial a través de peticiones que contengan expresiones regulares, como se ha demostrado con el parámetro created_by__password__regex. • http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html http://code.djangoproject.com/changeset/15031 http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter http://secunia.com/advisories/42715 http://secunia • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

CVE-2010-3082

https://notcve.org/view.php?id=CVE-2010-3082

Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Django 1.2.x, en versiones anteriores a la 1.2.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante una cookie csrfmiddlewaretoken (también conocida como csrf_token). • http://marc.info/?l=oss-security&m=128403961700444&w=2 http://www.djangoproject.com/weblog/2010/sep/08/security-release http://www.securityfocus.com/bid/43116 http://www.ubuntu.com/usn/USN-1004-1 https://bugzilla.redhat.com/show_bug.cgi?id=632239 https://exchange.xforce.ibmcloud.com/vulnerabilities/61729 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 6%CPEs: 2EXPL: 0

CVE-2009-3695

https://notcve.org/view.php?id=CVE-2009-3695

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression. Vulnerabilidad de complejidad algorítmica en la forma library en Django v1.0 anterior v1.0.4 y v1.1 anterior v1.1.1 permite a atacantes remotos causar una denegación de servicio (consumo CPU( a través de (1) EmailField (dirección email) o (2) URLField (URL)que provoca una gran cantidad de backtracking (vuelta a atrás) en una expresión regular. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457 http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51 http://secunia.com/advisories/36948 http://secunia.com/advisories/36968 http://www.debian.org/security/2009/dsa-1905 http://www.djangoproject.com/weblog/2009/oct/09/security http://www.openwall.com/lists/oss-security/2009/10/13/6 http://www.securityfocus.com/bid/36655 http://www.vupen.com/english/advisories/2009/2871 https://exchange •