Page 3 of 18 results (0.013 seconds)

CVSS: 6.1EPSS: 1%CPEs: 3EXPL: 0

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. Se descubrió un problema en Django 1.11 antes de 1.11.21, 2.1 anterior de la versión 2.1.9 y 2.2 anterior de la versión 2.2.2. El valor de la URL actual en la que se puede hacer clic, mostrado por el AdminURLFieldWidget, muestra el valor proporcionado sin validarlo como una URL segura. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html http://www.openwall.com/lists/oss-security/2019/06/03/2 http://www.securityfocus.com/bid/108559 https://docs.djangoproject.com/en/dev/releases/1.11.21 https://docs.djangoproject.com/en/dev/releases/2.1.9 https://docs.djangoproject.com/en/dev/releases/2.2.2 https://docs.djangoproject.com/en/dev/releases/security https:/&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. Django, en versiones 1.11.x anteriores a la 1.11.19, versiones 2.0.x anteriores a la 2.0.11 y versiones 2.1.x anteriores a la 2.1.6, permite el consumo incontrolado de memoria mediante un valor malicioso proporcionado por el atacante a la función django.utils.numberformat.format(). • http://www.securityfocus.com/bid/106964 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/WTwEAprR0IQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ https://seclists.org/bugtraq/2019/Jul/10 https://usn.ubuntu.com/3890-1 https://www.debian.org/se • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 1%CPEs: 10EXPL: 0

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. En Django, en versiones 1.11.x anteriores a la 1.11.18, versiones 2.0.x anteriores a la 2.0.10 y 2.1.x anteriores a la 2.1.5, existe una neutralización incorrecta de elementos especiales en las salidas empleadas por un componente de bajada en django.views.defaults.page_not_found(), lo que conduce a la suplantación de contenido (en una página de error 404) si un usuario fracasa a la hora de reconocer que una URL manipulada tiene contenido malicioso. • http://www.securityfocus.com/bid/106453 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ https://usn.ubuntu.com/3851-1 https://www.debian.org/security/2019/dsa-4363 https://www.djangoproject.com/weblog/2019/jan/04/security-release • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. django.middleware.common.CommonMiddleware en Django en versiones 1.11.x anteriores a la 1.11.15 y versiones 2.0.x anteriores a la 2.0.8 tiene una redirección abierta. When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect. • http://www.securityfocus.com/bid/104970 http://www.securitytracker.com/id/1041403 https://access.redhat.com/errata/RHSA-2019:0265 https://usn.ubuntu.com/3726-1 https://www.debian.org/security/2018/dsa-4264 https://www.djangoproject.com/weblog/2018/aug/01/security-releases https://access.redhat.com/security/cve/CVE-2018-14574 https://bugzilla.redhat.com/show_bug.cgi?id=1609031 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 0

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. Se ha descubierto un problema en Django, en versiones 2.0 anteriores a la 2.0.3; versiones 1.11 anteriores a la 1.11.11 y versiones 1.8 anteriores a la 1.8.19. La función django.utils.html.urlize() fue extremadamente lenta a la hora de evaluar ciertas entradas debido a vulnerabilidades catastróficas de búsqueda hacia atrás en dos expresiones regulares (solo una en el caso de las versiones 1.8.x de Django). • http://www.securityfocus.com/bid/103361 https://access.redhat.com/errata/RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2019:0051 https://access.redhat.com/errata/RHSA-2019:0082 https://access.redhat.com/errata/RHSA-2019:0265 https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2 https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16 https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8 https://lists.debian.org/debian-lts-announce/20 • CWE-185: Incorrect Regular Expression CWE-400: Uncontrolled Resource Consumption •