django@1.2.3 vulnerabilities
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
-
latest version
5.0.6
-
latest non vulnerable version
-
first published
14 years ago
-
latest version published
13 days ago
-
licenses detected
- [1.0.1,3.1a1)
Direct Vulnerabilities
Known vulnerabilities in the django package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in Note: The function is only vulnerable when How to fix Regular Expression Denial of Service (ReDoS)? Upgrade |
[,3.2.25)
[4.0a1,4.2.11)
[5.0a1,5.0.3)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) via the Note: This vulnerability is only exploitable on Windows systems. How to fix Denial of Service (DoS)? Upgrade |
[,3.2.23)
[4.0a1,4.1.13)
[4.2a1,4.2.7)
|
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the How to fix Regular Expression Denial of Service (ReDoS)? Upgrade |
[,3.2.22)
[4.0,4.1.12)
[4.2,4.2.6)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) in the How to fix Denial of Service (DoS)? Upgrade |
[,3.2.21)
[4.0a1,4.1.11)
[4.2a1,4.2.5)
|
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the How to fix Regular Expression Denial of Service (ReDoS)? Upgrade |
[,3.2.20)
[4.0a1,4.1.10)
[4.2a1,4.2.3)
|
Affected versions of this package are vulnerable to Arbitrary File Upload by bypassing of validation of all but the last file when uploading multiple files using a single How to fix Arbitrary File Upload? Upgrade |
[,3.2.19)
[4.1a1,4.1.9)
[4.2a1,4.2.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data in How to fix Denial of Service (DoS)? Upgrade |
[,3.2.18)
[4.0a1,4.0.10)
[4.1a1,4.1.7)
|
Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the How to fix Reflected File Download (RFD)? Upgrade |
[,3.2.15)
[4.0a1,4.0.7)
[4.1rc1,4.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the Note: Applications that constrain the lookup name and kind choice to a known safe list are unaffected. Django 4.1 pre-released versions (4.1a1, 4.1a2) are affected by this issue, please avoid using the 4.1 branch until 4.1.0 is released. How to fix SQL Injection? Upgrade |
[,3.2.14)
[4.0a1,4.0.6)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via How to fix SQL Injection? Upgrade |
[,2.2.28)
[3.0,3.2.13)
[4.0,4.0.4)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection in How to fix SQL Injection? Upgrade |
[,2.2.28)
[3.0,3.2.13)
[4.0,4.0.4)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.2.27)
[3.0,3.2.12)
[4.0,4.0.2)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) via an infinite loop during file parsing that occurs when certain inputs are passed to multipart forms. How to fix Denial of Service (DoS)? Upgrade |
[,2.2.27)
[3.0,3.2.12)
[4.0,4.0.2)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Directory Traversal via Note: this is exploitable only if crafted file names are being directly passed to the How to fix Directory Traversal? Upgrade |
[,2.2.26)
[3.0,3.2.11)
[4.0,4.0.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Information Exposure via the Note: all untrusted user input should be validated before use. How to fix Information Exposure? Upgrade |
[,2.2.26)
[3.0,3.2.11)
[4.0,4.0.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Denial of Service (DoS) via Note: it is exploitable under the assumption that access to user registration is unrestricted. How to fix Denial of Service (DoS)? Upgrade |
[,2.2.26)
[3.0,3.2.11)
[4.0,4.0.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Access Restriction Bypass. HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. How to fix Access Restriction Bypass? Upgrade |
[,2.2.25)
[3.0,3.1.14)
[3.2,3.2.10)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Directory Traversal via How to fix Directory Traversal? Upgrade |
[3.2,3.2.4)
[3.1,3.1.12)
[,2.2.24)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to HTTP Header Injection. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs. Unfortunately it created an issue in the URLValidator. URLValidator uses This issue was introduced by the bpo-43882 fix. How to fix HTTP Header Injection? Upgrade |
[3.2,3.2.2)
[3.0,3.1.10)
[,2.2.22)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Directory Traversal. How to fix Directory Traversal? Upgrade |
[,2.2.21)
[3.0,3.1.9)
[3.2,3.2.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via "tolerance" parameter in GIS functions and aggregates on Oracle. How to fix SQL Injection? Upgrade |
[3.0,3.0.4)
[2.2,2.2.11)
[,1.11.29)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Content Spoofing. The default 404 page did not properly handle user-supplied data, an attacker could supply content to the web application, typically via a parameter value, that is reflected back to the user. This presented the user with a modified page under the context of the trusted domain. How to fix Content Spoofing? Upgrade |
[,1.11.18)
[2.0.0,2.0.10)
[2.1.0,2.1.5)
|
django is a Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Open Redirect.
If the How to fix Open Redirect? Upgrade |
[,1.11.15)
[2.0.0,2.0.8)
|
Affected versions of this package are vulnerable to Open Redirect. A maliciously crafted URL to a Django site using the How to fix Open Redirect? Upgrade |
[,1.8.18)
[1.9,1.9.13)
[1.10,1.10.7)
|
Affected versions of this package are vulnerable to Open Redirect. It relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely How to fix Open Redirect? Upgrade |
[,1.8.18)
[1.9,1.9.13)
[1.10,1.10.7)
|
Affected versions of this package are vulnerable to DNS Rebinding attacks. When |
[,1.8.16)
[1.9,1.9.11)
[1.10,1.10.3)
|
Affected versions of this package used a hardcoded password for a temporary database user created when running tests with an Oracle database. This user is usually dropped after the test suite completes, but not when using the |
[,1.8.16)
[1.9,1.9.11)
[1.10,1.10.3)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. An attacker may conduct an attack upon deserialization of an XML object. This vulnerability is related to CVE-2013-1664. |
[,1.3.6)
[1.4,1.4.4)
|
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) attacks. The cookie parsing code, when used on a site with Google Analytics, may allow remote attackers to set arbitrary cookies leading to a bypass of CSRF protection. |
[,1.8.15)
[1.9,1.9.10)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. The |
[,1.8.14)
[1.9.0,1.9.8)
|
Affected versions of this package are vulnerable to Timing attacks. There is a timing difference between a login request for a user with a password encoded in an older number of iterations and login request for a nonexistent user (which runs the default hasher's default number of iterations). This only affects users who haven't logged in since the iterations were increased in Django 1.6. |
[,1.8.10)
[1.9,1.9.3)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The |
[,1.8.10)
[1.9,1.9.3)
|
Affected versions of this package are vulnerable to Information Exposure. It is possible for a user to specify the date format and pass it to the date filter, e.g. How to fix Information Exposure? Upgrade |
[,1.7.11)
[1.8,1.8.7)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. If a large number of requests were made to How to fix Denial of Service (DoS)? Upgrade |
[,1.4.22)
[1.5,1.7.10)
[1.8,1.8.4)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The How to fix Denial of Service (DoS)? Upgrade |
[,1.4.22)
[1.5,1.7.10)
[1.8,1.8.4)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When sending multiple requests with unique session keys, the session backends create new empty records in the session storage, which can fill the session store. How to fix Denial of Service (DoS)? Upgrade |
[,1.4.21)
[1.5,1.7.9)
[1.8,1.8.3)
|
Affected versions of this package are vulnerable to HTTP Response Splitting attacks due to the use of an incorrect regular expression. It allows newline characters in email messages (to the |
[,1.4.21)
[1.5,1.7.9)
[1.8,1.8.3)
|
Affected versions of this package are vulnerable to a Denial of Service (DoS) attacks. When an inputing a long string into the Note: This occurs only when using Python <2.7.7 or =3.3.5. |
[,1.4.20)
[1.5,1.6.11)
[1.7,1.7.7)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. The |
[,1.4.20)
[1.5,1.6.11)
[1.7,1.7.7)
|
Affected versions of this package are vulnerable to WSGI header spoofing. A malicious user could exploit this vulnerability by using an |
[,1.4.18)
[1.5,1.6.10)
[1.7,1.7.3)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. The |
[,1.4.18)
[1.5,1.6.10)
[1.7,1.7.3)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The |
[,1.4.18)
[1.5,1.6.10)
[1.7,1.7.3)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When a form uses |
[,1.4.18)
[1.5,1.6.10)
[1.7,1.7.3)
|
Affected versions of this package are vulnerable to Information Exposure. The administrative interface ( |
[,1.4.14)
[1.5,1.5.9)
[1.6,1.6.6)
|
Affected versions of this package are vulnerable to Phishing attacks. The |
[,1.4.14)
[1.5,1.5.9)
[1.6,1.6.6)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks.The default configuration for the file upload handling uses a sequential file name generation process when a file with a conflicting name is uploaded. An attackers can cause high CPU consumption by uploading multiple files with the same name. |
[,1.4.14)
[1.5,1.5.9)
[1.6,1.6.6)
|
Affected versions of this package are vulnerable to Session Hijacking. The |
[,1.4.14)
[1.5,1.5.9)
[1.6,1.6.6)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Web Cache Poisoning. It does not properly include the How to fix Web Cache Poisoning? Upgrade |
[,1.4.13)
[1.5,1.5.8)
[1.6,1.6.5)
|
Affected versions of this package are vulnerable to Open Redirecting. The |
[,1.4.13)
[1.5,1.5.8)
[1.6,1.6.5)
|
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) attacks. The caching framework reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. How to fix Cross-site Request Forgery (CSRF)? Upgrade to versions |
[,1.4.11)
[1.5,1.5.6)
[1.6,1.6.3)
[1.7,1.7.1)
|
Affected versions of this package are vulnerable to Arbitrary Code Execution attacks. The How to fix Arbitrary Code Execution? Upgrade to versions |
[,1.4.11)
[1.5,1.5.6)
[1.6,1.6.3)
[1.7,1.7.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection. The How to fix SQL Injection? Upgrade |
[,1.4.11)
[1.5,1.5.6)
[1.6,1.6.3)
[1.7,1.7.1)
|
Affected versions of this package are vulnerable to Directory Traversal attacks. In the ssi template tag, the |
[,1.4.7)
[1.5,1.5.3)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The authentication framework ( |
[,1.4.8)
[1.5,1.5.4)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. The |
[,1.4.6)
[1.5,1.5.2)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. The |
[,1.4.6)
[1.5,1.5.2)
|
Affected versions of this package are vulnerable to XML External Entity (XXE) attacks. An attacker may be able to read arbitrary files via an XML external entity declaration in conjunction with an entity reference. This vulnerability is related to CVE-2013-1665. |
[,1.3.6)
[1.4,1.4.4)
|
Affected versions of this package are vulnerable to Information Exposure. The administrative interface did not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. |
[,1.3.6)
[1.4,1.4.4)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The form library allows remote attackers to bypass intended resource limits for formsets by modifying the |
[,1.3.6)
[1.4,1.4.4)
|
Affected versions of this package are vulnerable to Host Header Poisoning. The |
[,1.3.4)
[1.4,1.4.2)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The |
[,1.3.2)
[1.4,1.4.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The |
[,1.3.2)
[1.4,1.4.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The |
[,1.3.2)
[1.4,1.4.1)
|
Affected versions of this package are vulnerable to Session Manipulation. It stored session data in the cache using the root namespace for both session identifiers and application-data keys. This allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. |
[,1.2.7)
[1.3,1.3.1)
|
Affected versions of this package are vulnerable to Denial of Service attacks. The |
[,1.2.7)
[1.3,1.3.1)
|
Affected versions of this package are vulnerable due to lack of request validation.
The |
[,1.2.7)
[1.3,1.3.1)
|
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Web Cache Poisoning. It used a request's HTTP Host header to construct a full URL. An attacker can submit a request with a Host header of his or her choice, receive a response which constructs URLs using that Host header, and If that response is cached, further requests will be served out of cache using URLs containing the attacker's host of choice. How to fix Web Cache Poisoning? Upgrade |
[,1.2.7)
[1.3,1.3.1)
|
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The CSRF protection mechanism does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code. |
[,1.2.7)
[1.3,1.3.1)
|
Affected versions of this package are vulnerable to Information Exposure. When the |
[,1.2.7)
[1.3,1.3.1)
|
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) attacks. It didn't properly validate HTTP requests containing an |
[,1.1.4)
[1.2,1.2.5)
|
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. A filename associated with a file upload was not escaped before rendering. |
[,1.1.4)
[1.2,1.2.5)
|
Affected versions of this package are vulnerable to Directory Traversal on Windows. If a |
[,1.1.4)
[1.2,1.2.5)
|
Affected versions of this package expose sensitive information due to not properly restricting the use of a query string that performs certain object filtering. An attacker may obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a |
[,1.1.3)
[1.2,1.2.4)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. The length of a string representing a base36 timestamp was not validated, allowing remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. |
[,1.1.3)
[1.2,1.2.4)
|