CVSS: 4.3EPSS: 3%CPEs: 9EXPL: 0CVE-2011-0697
https://notcve.org/view.php?id=CVE-2011-0697
14 Feb 2011 — Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. Vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Django v1.1.x anteriores a v1.1.4 y v1.2.x anteriores a v1.2.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del nombre de fichero vinculado a la subida de un archivo. • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2011-0698
https://notcve.org/view.php?id=CVE-2011-0698
14 Feb 2011 — Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. Vulnerabilidad de salto de directorio en Django v1.1.x antes de v1.1.4 y v1.2.x antes de v1.2.5 en Windows, cuando está habilitado permite a atacantes remotos incluir y ejecutar ficheros locales de su elección al utilizar caracteres /(barra) en la llave de una cookie de sesión... • http://openwall.com/lists/oss-security/2011/02/09/6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 16EXPL: 3CVE-2010-4534
https://notcve.org/view.php?id=CVE-2010-4534
10 Jan 2011 — The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. El interfaz de administración de django.contrib.admin de Django en versiones anteriores a 1.1.3, 1.2.x anterio... • http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 4%CPEs: 16EXPL: 0CVE-2010-4535
https://notcve.org/view.php?id=CVE-2010-4535
10 Jan 2011 — The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. La funcionalidad de restablecimiento de contraseña en django.contrib.auth en Django antes de v1.1.3, v1.2.x antes de v1.2.4, y v1.3.x antes de v1.3 beta 1 no valida la longitud de... • http://code.djangoproject.com/changeset/15032 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2010-3082
https://notcve.org/view.php?id=CVE-2010-3082
14 Sep 2010 — Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Django 1.2.x, en versiones anteriores a la 1.2.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante una cookie csrfmiddlewaretoken (también conocida como csrf_token). • http://marc.info/?l=oss-security&m=128403961700444&w=2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2009-3695
https://notcve.org/view.php?id=CVE-2009-3695
13 Oct 2009 — Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression. Vulnerabilidad de complejidad algorítmica en la forma library en Django v1.0 anterior v1.0.4 y v1.1 anterior v1.1.1 permite a atacantes remotos causar una denegación de servicio (consumo CPU( a trav... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457 •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2009-2659
https://notcve.org/view.php?id=CVE-2009-2659
04 Aug 2009 — The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL. El manejador Admin media en core/servers/basehttp.py en Django 1.0 y 0.96 no mapea de forma adecuada peticiones de URL de tipo "static media files", lo que permite a atacantes remotos dirigir ataques de salto de directorio y leer archivos de su elección m... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2008-3909
https://notcve.org/view.php?id=CVE-2008-3909
04 Sep 2008 — The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests. La administración de la aplicación en Django 0.91, 0.95, y 0.96, almacena peticiones HTTP POST sin autenticación procesadas tras una autenticación válida, lo que permite a atacantes remotos llevar a cabo ataques de... • http://osvdb.org/47906 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2008-2302
https://notcve.org/view.php?id=CVE-2008-2302
23 May 2008 — Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en el formulario de login en la aplicación de administración en Django 0.91 anteriores a 0.91.2, 0.95 anteriores a 0.95.3 y 0.96 anteriores a 0.96.2 permite a atacante... • http://secunia.com/advisories/30250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5828
https://notcve.org/view.php?id=CVE-2007-5828
05 Nov 2007 — Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module ** EN DISPUTA ** La vulnerabilidad de falsificación de solici... • http://osvdb.org/45285 • CWE-352: Cross-Site Request Forgery (CSRF) •