CVSS: 4.3EPSS: 0%CPEs: 43EXPL: 0CVE-2014-3730 – Debian Security Advisory 2934-1
https://notcve.org/view.php?id=CVE-2014-3730
16 May 2014 — The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." La función django.util.http.is_safe_url en Django 1.4 anterior a 1.4.13, 1.5 anterior a 1.5.8, 1.6 anterior a 1.6.5 y 1.7 anterior a 1.7b4 no valida debidamente URLs, lo que permite a atacantes remotos realizar ataques ... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 39EXPL: 0CVE-2014-1418 – Ubuntu Security Notice USN-2212-1
https://notcve.org/view.php?id=CVE-2014-1418
15 May 2014 — Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. Django 1.4 anterior a 1.4.13, 1.5 anterior a 1.5.8, 1.6 anterior a 1.6.5 y 1.7 anterior a 1.7b4 no incluye debidamente la cabecera (1) Vary: Cookie o (2) Cache-Control en respuestas, lo que permite a atacantes remotos obt... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html •
CVSS: 5.6EPSS: 1%CPEs: 28EXPL: 1CVE-2014-0472 – python-django: unexpected code execution using reverse()
https://notcve.org/view.php?id=CVE-2014-0472
22 Apr 2014 — The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." La función django.core.urlresolvers.reverse en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a 1.6.3 y 1.7.x anterior a 1.7 beta 2 permite a atacantes remotos importar y ejecutar módulos Python ar... • https://github.com/christasa/CVE-2014-0472 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 28EXPL: 0CVE-2014-0473 – python-django: caching of anonymous pages could reveal CSRF token
https://notcve.org/view.php?id=CVE-2014-0473
22 Apr 2014 — The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. La plataforma de caché en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a 1.6.3 y 1.7.x anterior a 1.7 beta 2 reutiliza un token de CSRF en caché para todos los usuarios anónimos, lo que permite a atacantes remotos evadir... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-264: Permissions, Privileges, and Access Controls CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 1%CPEs: 28EXPL: 0CVE-2014-0474 – python-django: MySQL typecasting
https://notcve.org/view.php?id=CVE-2014-0474
22 Apr 2014 — The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." Las clases de campo de modelo (1) FilePathField, (2) GenericIPAddressField y (3) IPAddressField en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a1.6.3 y 1.7.x ante... • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2013-6044 – python-django: xss in is_safe_url function
https://notcve.org/view.php?id=CVE-2013-6044
04 Oct 2013 — The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. La función is_safe_url en utils/http.py de Django 1.4.x anterior a la versión 1.4.6, 1.5.x anterior a la versión 1.5.2,... • http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 16EXPL: 0CVE-2013-1443 – Debian Security Advisory 2758-1
https://notcve.org/view.php?id=CVE-2013-1443
17 Sep 2013 — The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. El framework de autenticación (django.contrib.auth) en Django 1.4.x anteriores a 1.4.8, 1.5.x anteriores a 1.5.4, y 1.6.x anteriores a 1.6 beta 4 permite a atacantes remotos causar denegación de servicio (consumo de CPU) a través de una contraseña larga al ser luego pro... • http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2013-4315 – python-django: directory traversal with "ssi" template tag
https://notcve.org/view.php?id=CVE-2013-4315
11 Sep 2013 — Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. Vulnerabilidad de recorrido de directorios en Django 1.4.x anterior a 1.4.7, 1.5.x anterior a 1.5.3, y 1.6.x anterior a 1.6 beta 3 permite a atacantes remotos leer ficheros arbitrarios a través de una ruta de fichero en la opción ALLOWED_INCLUDE_ROO... • http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2CVE-2013-4249 – Mandriva Linux Security Advisory 2013-218
https://notcve.org/view.php?id=CVE-2013-4249
23 Aug 2013 — Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. Vulnerabilidad de XSS en el widget AdminURLFieldWidget en contrib/admin/widgets.py de Django 1.5.x anterior a la versión 1.5.2 y 1.6.x anterior a 1.6 beta 2 permite a atacantes remotos inyectar script web arbitrario o HTML a través de una URLField. The python-django packag... • http://seclists.org/oss-sec/2013/q3/369 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •