CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33185 – Incorrect signature verification in django-ses
https://notcve.org/view.php?id=CVE-2023-33185
26 May 2023 — Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.... • https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-15010 – University of Cambridge django-ucamlookup Lookup cross site scripting
https://notcve.org/view.php?id=CVE-2016-15010
05 Jan 2023 — A vulnerability classified as problematic was found in University of Cambridge django-ucamlookup up to 1.9.1. Affected by this vulnerability is an unknown functionality of the component Lookup Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.9.2 is able to address this issue. • https://github.com/uisautomation/django-ucamlookup/commit/5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4595 – django-openipam exposed_hosts.html cross site scripting
https://notcve.org/view.php?id=CVE-2022-4595
18 Dec 2022 — A vulnerability classified as problematic has been found in django-openipam. This affects an unknown part of the file openipam/report/templates/report/exposed_hosts.html. The manipulation of the argument description leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is a6223a1150d60cd036106ba6a8e676c1bfc3cc85. • https://github.com/openipam/django-openipam/commit/a6223a1150d60cd036106ba6a8e676c1bfc3cc85 • CWE-707: Improper Neutralization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4589 – cyface Terms and Conditions Module views.py returnTo redirect
https://notcve.org/view.php?id=CVE-2022-4589
17 Dec 2022 — A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched remotely. Upgrading to version 2.0.10 is able to address this issue. • https://github.com/cyface/django-termsandconditions/commit/03396a1c2e0af95e12a45c5faef7e47a4b513e1a • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4526 – django-photologue Default Template photo_detail.html cross site scripting
https://notcve.org/view.php?id=CVE-2022-4526
15 Dec 2022 — A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic. Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler. The manipulation of the argument object.caption leads to cross site scripting. The attack may be launched remotely. Upgrading to version 3.16 is able to address this issue. • https://github.com/richardbarran/django-photologue/commit/960cb060ce5e2964e6d716ff787c72fc18a371e7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-42731
https://notcve.org/view.php?id=CVE-2022-42731
11 Oct 2022 — mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage. El archivo mfa/FIDO2.py en django-mfa2 versiones anteriores a 2.5.1 y 2.6.x anteriores a 2.6.1, permite un ataque de repetición que podría ser usado para registrar otro dispositivo para un usuario. El desafío de registro del dispositivo no es invalidado después de su uso • https://github.com/mkalioby/django-mfa2/blob/0936ea253354dd95cb127f09d0efa31324caef27/mfa/FIDO2.py#L58 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24840 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in django-s3file
https://notcve.org/view.php?id=CVE-2022-24840
06 Jun 2022 — django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location only. The issue was discovered by the maintainer. There were no reports of the vulnerability being known to or exploited by a third party, prior to the release of the patch. • https://github.com/codingjoe/django-s3file/commit/68ccd2c621a40eb66fdd6af2be9d5fcc9c373318 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24857 – Multi factor authentication bypass in django-mfa3
https://notcve.org/view.php?id=CVE-2022-24857
15 Apr 2022 — django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. • https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15 • CWE-287: Improper Authentication •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3994 – Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
https://notcve.org/view.php?id=CVE-2021-3994
01 Dec 2021 — django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') django-helpdesk es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/django-helpdesk/django-helpdesk/commit/a22eb0673fe0b7784f99c6b5fd343b64a6700f06 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25986 – Django-wiki - Stored Cross-Site Scripting (XSS) in Notifications Section
https://notcve.org/view.php?id=CVE-2021-25986
23 Nov 2021 — In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript. En Django-wiki, versiones 0.0.20 a 0.7.8, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) Almacenado en la sección de notificacio... • https://github.com/django-wiki/django-wiki/commit/9eaccc7519e4206a4d2f22640882f0737b2da9c5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •