CVE-2021-3950 – Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
https://notcve.org/view.php?id=CVE-2021-3950
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') django-helpdesk es vulnerable a una Neutralización Inapropiada de Entradas durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60 https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-3945 – Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
https://notcve.org/view.php?id=CVE-2021-3945
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') django-helpdesk es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30 https://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-15225 – Denial of Service vulnerability in django-filter
https://notcve.org/view.php?id=CVE-2020-15225
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade. django-filter es un sistema genérico para filtrar Django QuerySets en función de las selecciones del usuario. • https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b https://github.com/carltongibson/django-filter/releases/tag/2.4.0 https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK https://lists.fedoraproject.org/archives/list/package • CWE-681: Incorrect Conversion between Numeric Types •
CVE-2021-21416 – Potential sensitive information disclosed in error reports
https://notcve.org/view.php?id=CVE-2021-21416
django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). django-registration es un paquete de registro de usuarios para Django. • https://github.com/ubernostrum/django-registration/security/advisories/GHSA-58c7-px5v-82hh • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-17495
https://notcve.org/view.php?id=CVE-2020-17495
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. django-celery-results versiones hasta 1.2.1, almacena los resultados de las tareas en la base de datos. Entre los datos que almacena se encuentran las variables pasadas a las tareas. Las variables pueden contener información confidencial en texto sin cifrar que no se encuentra sin cifrar en la base de datos • https://github.com/celery/django-celery-results/issues/142 • CWE-312: Cleartext Storage of Sensitive Information •