CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0CVE-2020-24584
https://notcve.org/view.php?id=CVE-2020-24584
01 Sep 2020 — An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077. Se detectó un problema en Django versiones 2.2 anteriores a 2.2.16, versiones 3.0 anteriores a 3.0.10 y versiones 3.1 anteriores a 3.1.1 (cuando es usado Python 3.7+). Los directorios de nivel intermedio de la caché del sistema de archivos tenían la umask estándar del sistema... • https://docs.djangoproject.com/en/dev/releases/security • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 2%CPEs: 8EXPL: 0CVE-2020-24583 – Ubuntu Security Notice USN-4479-1
https://notcve.org/view.php?id=CVE-2020-24583
01 Sep 2020 — An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command. Se detectó un problema en Django versiones 2.2 anteriores a 2.2.16, versiones 3.0 anteriores a 3.0.10 y versiones 3.1 anteriores a 3.1.... • https://docs.djangoproject.com/en/dev/releases/security • CWE-276: Incorrect Default Permissions •
CVSS: 5.9EPSS: 8%CPEs: 14EXPL: 1CVE-2020-13254 – django: potential data leakage via malformed memcached keys
https://notcve.org/view.php?id=CVE-2020-13254
03 Jun 2020 — An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. Se detectó un problema en Django versiones 2.2 anteriores a 2.2.13 y versiones 3.0 anteriores a 3.0.7. En casos donde un backend memcached no lleva a cabo una comprobación de la clave, pasa claves de caché maliciosas que podría resultar en una colisión de claves y una potencial f... • https://github.com/danpalmer/django-cve-2020-13254 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 1%CPEs: 13EXPL: 0CVE-2020-13596 – Debian Security Advisory 4705-1
https://notcve.org/view.php?id=CVE-2020-13596
03 Jun 2020 — An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. Se detectó un problema en Django versiones 2.2 anteriores a 2.2.13 y versiones 3.0 anteriores a 3.0.7. En casos donde un backend memcached no lleva a cabo una comprobación de la clave, pasa claves de caché maliciosas que podría resultar en una colisión de claves y una potencial filtración de da... • https://docs.djangoproject.com/en/3.0/releases/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 54%CPEs: 11EXPL: 0CVE-2020-9402 – django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
https://notcve.org/view.php?id=CVE-2020-9402
04 Mar 2020 — Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. Django versiones 1.11 anteriores a 1.11.29, versiones 2.2 anteriores a 2.2.11 y versiones 3.0 anteriores a 3.0.4, permite una Inyección SQL si datos no confiables son usados como un pará... • https://docs.djangoproject.com/en/3.0/releases/security • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 7%CPEs: 3EXPL: 7CVE-2020-7471 – Ubuntu Security Notice USN-4264-1
https://notcve.org/view.php?id=CVE-2020-7471
03 Feb 2020 — Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. Django versiones 1.11 anteriores a 1.11.28, versiones 2.2 anteriores a 2.2.10 y versiones 3.0 anter... • https://github.com/Saferman/CVE-2020-7471 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 15%CPEs: 7EXPL: 5CVE-2019-19844 – Django < 3.0 < 2.2 < 1.11 - Account Hijack
https://notcve.org/view.php?id=CVE-2019-19844
18 Dec 2019 — Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) Django versiones anteriores a 1.11.27, versiones 2.x anteriores a 2.2.9 y versiones 3.x ant... • https://packetstorm.news/files/id/155872 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19118 – Gentoo Linux Security Advisory 202004-17
https://notcve.org/view.php?id=CVE-2019-19118
02 Dec 2019 — Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal ... • http://www.openwall.com/lists/oss-security/2019/12/02/1 • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0CVE-2019-14232 – Django: backtracking in a regular expression in django.utils.text.Truncator leads to DoS
https://notcve.org/view.php?id=CVE-2019-14232
01 Aug 2019 — An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. Se detectó un problema en Django versione... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 5%CPEs: 4EXPL: 0CVE-2019-14233 – Django: the behavior of the underlying HTMLParser leading to DoS
https://notcve.org/view.php?id=CVE-2019-14233
01 Aug 2019 — An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. Se detectó un problema en Django versiones 1.11.x anteriores a 1.11.23, versiones 2.1.x anteriores a 2.1.11 y versiones 2.2.x anteriores a 2.2.4. Debido al comportamiento del HTMLParser subyacente, django.utils.html.... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •