CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0CVE-2019-6975
https://notcve.org/view.php?id=CVE-2019-6975
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. Django, en versiones 1.11.x anteriores a la 1.11.19, versiones 2.0.x anteriores a la 2.0.11 y versiones 2.1.x anteriores a la 2.1.6, permite el consumo incontrolado de memoria mediante un valor malicioso proporcionado por el atacante a la función django.utils.numberformat.format(). • http://www.securityfocus.com/bid/106964 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/WTwEAprR0IQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ https://seclists.org/bugtraq/2019/Jul/10 https://usn.ubuntu.com/3890-1 https://www.debian.org/se • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 1%CPEs: 10EXPL: 0CVE-2019-3498
https://notcve.org/view.php?id=CVE-2019-3498
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. En Django, en versiones 1.11.x anteriores a la 1.11.18, versiones 2.0.x anteriores a la 2.0.10 y 2.1.x anteriores a la 2.1.5, existe una neutralización incorrecta de elementos especiales en las salidas empleadas por un componente de bajada en django.views.defaults.page_not_found(), lo que conduce a la suplantación de contenido (en una página de error 404) si un usuario fracasa a la hora de reconocer que una URL manipulada tiene contenido malicioso. • http://www.securityfocus.com/bid/106453 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ https://usn.ubuntu.com/3851-1 https://www.debian.org/security/2019/dsa-4363 https://www.djangoproject.com/weblog/2019/jan/04/security-release • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16984
https://notcve.org/view.php?id=CVE-2018-16984
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes. Se ha descubierto un problema en Django, en versiones 2.1 anteriores a la 2.1.2, por el cual los usuarios no privilegiados pueden leer los hashes de contraseña de cuentas arbitrarias. El widget de contraseña de solo lectura empleada por el administrador de Django para mostrar un hash de contraseña ofuscada se omitía si un usuario tenía solo el permiso "view" (nuevo en Django 2.1), lo que resultaba en que el hash de contraseña completo se mostraba a esos usuarios. • http://www.securitytracker.com/id/1041749 https://security.netapp.com/advisory/ntap-20190502-0009 https://www.djangoproject.com/weblog/2018/oct/01/security-release • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-14574 – django: Open redirect possibility in CommonMiddleware
https://notcve.org/view.php?id=CVE-2018-14574
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. django.middleware.common.CommonMiddleware en Django en versiones 1.11.x anteriores a la 1.11.15 y versiones 2.0.x anteriores a la 2.0.8 tiene una redirección abierta. When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect. • http://www.securityfocus.com/bid/104970 http://www.securitytracker.com/id/1041403 https://access.redhat.com/errata/RHSA-2019:0265 https://usn.ubuntu.com/3726-1 https://www.debian.org/security/2018/dsa-4264 https://www.djangoproject.com/weblog/2018/aug/01/security-releases https://access.redhat.com/security/cve/CVE-2018-14574 https://bugzilla.redhat.com/show_bug.cgi?id=1609031 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 0CVE-2018-7536 – django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'
https://notcve.org/view.php?id=CVE-2018-7536
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. Se ha descubierto un problema en Django, en versiones 2.0 anteriores a la 2.0.3; versiones 1.11 anteriores a la 1.11.11 y versiones 1.8 anteriores a la 1.8.19. La función django.utils.html.urlize() fue extremadamente lenta a la hora de evaluar ciertas entradas debido a vulnerabilidades catastróficas de búsqueda hacia atrás en dos expresiones regulares (solo una en el caso de las versiones 1.8.x de Django). • http://www.securityfocus.com/bid/103361 https://access.redhat.com/errata/RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2019:0051 https://access.redhat.com/errata/RHSA-2019:0082 https://access.redhat.com/errata/RHSA-2019:0265 https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2 https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16 https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8 https://lists.debian.org/debian-lts-announce/20 • CWE-185: Incorrect Regular Expression CWE-400: Uncontrolled Resource Consumption •