CVSS: 7.8EPSS: 8%CPEs: 3EXPL: 0CVE-2024-24680 – Django: denial-of-service in ``intcomma`` template filter
https://notcve.org/view.php?id=CVE-2024-24680
06 Feb 2024 — An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. Se descubrió un problema en Django 3.2 anterior a 3.2.24, 4.2 anterior a 4.2.10 y Django 5.0 anterior a 5.0.2. El filtro de plantilla intcomma estaba sujeto a un posible ataque de denegación de servicio cuando se utilizaba con cadenas muy largas. A vulnerability was found in Django. • https://docs.djangoproject.com/en/5.0/releases/security •
CVSS: 7.8EPSS: 3%CPEs: 3EXPL: 0CVE-2023-46695
https://notcve.org/view.php?id=CVE-2023-46695
02 Nov 2023 — An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. Se descubrió un problema en Django 3.2 anterior a 3.2.23, 4.1 anterior a 4.1.13 y 4.2 anterior a 4.2.7. La normalización de NFKC es lenta en Windows. • https://docs.djangoproject.com/en/4.2/releases/security • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 1%CPEs: 4EXPL: 0CVE-2023-43665 – python-django: Denial-of-service possibility in django.utils.text.Truncator
https://notcve.org/view.php?id=CVE-2023-43665
05 Oct 2023 — In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. En Dja... • http://www.openwall.com/lists/oss-security/2024/03/04/1 • CWE-1284: Improper Validation of Specified Quantity in Input CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 1%CPEs: 4EXPL: 0CVE-2023-41164 – python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
https://notcve.org/view.php?id=CVE-2023-41164
19 Sep 2023 — In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. En Django 3.2 anterior a 3.2.21, 4.1 anterior a 4.1.11 y 4.2 anterior a 4.2.5, django.utils.encoding.uri_to_iri() está sujeto a un posible ataque DoS (denegación de servicio) a través de ciertas entradas con un número muy grande de caracteres Unicode. An uncontrolled resource consum... • https://docs.djangoproject.com/en/4.2/releases/security • CWE-400: Uncontrolled Resource Consumption CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 7.8EPSS: 21%CPEs: 8EXPL: 0CVE-2023-36053 – python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
https://notcve.org/view.php?id=CVE-2023-36053
03 Jul 2023 — In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number of domain name labels of emails and URLs. Red Hat Ansible Automation Platform provides an enterpris... • https://docs.djangoproject.com/en/4.2/releases/security • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 10.0EPSS: 1%CPEs: 6EXPL: 0CVE-2023-31047 – python-django: Potential bypass of validation when uploading multiple files using one form field
https://notcve.org/view.php?id=CVE-2023-31047
03 May 2023 — In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple fi... • https://docs.djangoproject.com/en/4.2/releases/security • CWE-20: Improper Input Validation CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 49%CPEs: 4EXPL: 0CVE-2023-24580 – python-django: Potential denial-of-service vulnerability in file uploads
https://notcve.org/view.php?id=CVE-2023-24580
14 Feb 2023 — An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. A memory exhaustion flaw was found in the python-django package. This issue occurs when passing certain inputs, leading to a system crash and denial of service. Red Hat Ansible Automati... • http://www.openwall.com/lists/oss-security/2023/02/14/1 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 3%CPEs: 4EXPL: 0CVE-2023-23969 – python-django: Potential denial-of-service via Accept-Language headers
https://notcve.org/view.php?id=CVE-2023-23969
01 Feb 2023 — In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage i... • https://docs.djangoproject.com/en/4.1/releases/security • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 15%CPEs: 3EXPL: 0CVE-2022-41323 – python-django: Potential denial-of-service vulnerability in internationalized URLs
https://notcve.org/view.php?id=CVE-2022-41323
04 Oct 2022 — In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. En Django versiones 3.2 anteriores a 3.2.16, 4.0 anteriores a 4.0.8, y 4.1 anteriores a 4.1.2, las URLs internacionalizadas estaban sujetas a un potencial ataque de denegación de servicio por medio del parámetro locale, que es tratado como una expresión regular A denial of service flaw was discover... • https://docs.djangoproject.com/en/4.0/releases/security • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36359 – Debian Security Advisory 5254-1
https://notcve.org/view.php?id=CVE-2022-36359
03 Aug 2022 — An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. Se ha detectado un problema en la clase HTTP FileResponse en Django versiones 3.2 anteriores a 3.2.15 y 4.0 anteriores a 4.0.7. Una aplicación es vulnerable a un ataque de descarga de archivos reflejada (RFD) que establece... • http://www.openwall.com/lists/oss-security/2022/08/03/1 • CWE-494: Download of Code Without Integrity Check •