Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2015-5144 |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. Published: July 14, 2015; 1:59:07 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-5143 |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. Published: July 14, 2015; 1:59:06 PM -0400 |
V3.x:(not available) V2.0: 7.8 HIGH |
CVE-2015-2317 |
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. Published: March 25, 2015; 10:59:04 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-2316 |
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. Published: March 25, 2015; 10:59:02 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0483 |
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. Published: August 26, 2014; 10:55:05 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-0482 |
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. Published: August 26, 2014; 10:55:05 AM -0400 |
V3.x:(not available) V2.0: 6.0 MEDIUM |
CVE-2014-0481 |
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. Published: August 26, 2014; 10:55:05 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-0480 |
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. Published: August 26, 2014; 10:55:05 AM -0400 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2014-3730 |
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." Published: May 16, 2014; 11:55:05 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-1418 |
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. Published: May 16, 2014; 11:55:04 AM -0400 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2013-1443 |
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. Published: September 23, 2013; 4:55:07 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |