CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13177
https://notcve.org/view.php?id=CVE-2019-13177
02 Jul 2019 — verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument. El archivo verification.py en django-rest-registration (también conocida como biblioteca de registro REST de Django) anterior a la versión 0.5.0 con... • https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000089
https://notcve.org/view.php?id=CVE-2018-1000089
13 Mar 2018 — Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed ... • https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6596 – Debian Security Advisory 4107-1
https://notcve.org/view.php?id=CVE-2018-6596
03 Feb 2018 — webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events. webhooks/base.py en Anymail (también conocido como django-anymail), en versiones anteriores a la 1.2.1, es propenso a una vulnerabilidad de ataque de sincronización en el secreto WEBHOOK_AUTHORIZATION, que permite que los atacantes remotos publiquen eventos de seguimiento de email. It was discovere... • https://bugs.debian.org/889450 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 2CVE-2017-16764
https://notcve.org/view.php?id=CVE-2017-16764
10 Nov 2017 — An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability. Existe una vulnerabilidad explotable en la funcionalidad de análisis sintáctico de YAML en el método read_yaml_file en io_utils.py en django_make_app 0.1.3. Un analizador sintáctico YAML puede ejecutar comandos... • https://github.com/illagrenan/django-make-app/issues/5 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6591
https://notcve.org/view.php?id=CVE-2017-6591
09 Mar 2017 — There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field. Hay una vulnerabilidad de XSS en django-epiceditor 0.2.3 a través de contenido manipulado en un campo de formulario. • http://morningchen.com/2017/03/09/Cross-site-scripting-vulnerability-in-django-epiceditor • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-0846 – Debian Security Advisory 3230-1
https://notcve.org/view.php?id=CVE-2015-0846
20 Apr 2015 — django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors. django-markupfield anterior a 1.3.2 utiliza las configuraciones de docutils RESTRUCTUREDTEXT_FILTER_SETTINGS por defecto, lo que permite a atacantes remotos incluir y leer ficheros arbitrarios a través de vectores no especificados. James P. Turk discovered that the ReST renderer in django-markupfield, a custom Django f... • http://www.debian.org/security/2015/dsa-3230 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2009-2659
https://notcve.org/view.php?id=CVE-2009-2659
04 Aug 2009 — The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL. El manejador Admin media en core/servers/basehttp.py en Django 1.0 y 0.96 no mapea de forma adecuada peticiones de URL de tipo "static media files", lo que permite a atacantes remotos dirigir ataques de salto de directorio y leer archivos de su elección m... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2008-3909
https://notcve.org/view.php?id=CVE-2008-3909
04 Sep 2008 — The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests. La administración de la aplicación en Django 0.91, 0.95, y 0.96, almacena peticiones HTTP POST sin autenticación procesadas tras una autenticación válida, lo que permite a atacantes remotos llevar a cabo ataques de... • http://osvdb.org/47906 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2008-2302
https://notcve.org/view.php?id=CVE-2008-2302
23 May 2008 — Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en el formulario de login en la aplicación de administración en Django 0.91 anteriores a 0.91.2, 0.95 anteriores a 0.95.3 y 0.96 anteriores a 0.96.2 permite a atacante... • http://secunia.com/advisories/30250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5828
https://notcve.org/view.php?id=CVE-2007-5828
05 Nov 2007 — Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module ** EN DISPUTA ** La vulnerabilidad de falsificación de solici... • http://osvdb.org/45285 • CWE-352: Cross-Site Request Forgery (CSRF) •