django
|
3.0
|
<2.2.27 ,
>=3.0a1,<3.2.12 ,
>=4.0a1,<4.0.2
|
show The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
|
django
|
3.0
|
<2.2.27 ,
>=3.0a1,<3.2.12 ,
>=4.0a1,<4.0.2
|
show Django 2.2.27, 3.2.12 and 4.0.2 include a fix for CVE-2022-23833: Denial-of-service possibility in file uploads.
https://www.djangoproject.com/weblog/2022/feb/01/security-releases
|
django
|
3.0
|
<3.2.16 ,
>=4.0a1,<4.0.8 ,
>=4.1a1,<4.1.2
|
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
|
django
|
3.0
|
<3.2.14 ,
>=4.0a1,<4.0.6
|
show Django 3.2.14 and 4.0.6 include a fix for CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.
https://www.djangoproject.com/weblog/2022/jul/04/security-releases
|
django
|
3.0
|
<2.2.28 ,
>=3.0a1,<3.2.13 ,
>=4.0a1,<4.0.4
|
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
https://www.djangoproject.com/weblog/2022/apr/11/security-releases
|
django
|
3.0
|
>=3.0a1,<3.0.13 ,
>=3.1a1,<3.1.7 ,
<2.2.19
|
show Django versions 2.2.19, 3.0.13 and 3.1.7 include a fix for CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'. Django contains a copy of 'urllib.parse.parse_qsl' which was added to backport some security fixes. A further security fix has been issued recently such that 'parse_qsl(' no longer allows using ';' as a query parameter separator by default.
|
django
|
3.0
|
<2.2.26 ,
>=3.0a1,<3.2.11 ,
>=4.0a1,<4.0.1
|
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
https://www.djangoproject.com/weblog/2022/jan/04/security-releases
|
django
|
3.0
|
<3.2.17 ,
>=4.0a1,<4.0.9 ,
>=4.1a1,<4.1.6
|
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
https://www.djangoproject.com/weblog/2023/feb/01/security-releases
|
django
|
3.0
|
>=1.11a1,<1.1.29 ,
>=2.2a1,<2.2.11 ,
>=3.0a1,<3.0.4
|
show Django 1.11.29, 2.2.11 and 3.0.4 includes a fix for CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
https://www.djangoproject.com/weblog/2020/mar/04/security-releases
|
django
|
3.0
|
>=3.0a1,<3.0.7 ,
>=2.2a1,<2.2.13
|
show An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
|
django
|
3.0
|
<3.2.23 ,
>=4.0a1,<4.1.13 ,
>=4.2a1,<4.2.7
|
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows.
https://www.djangoproject.com/weblog/2023/nov/01/security-releases
|
django
|
3.0
|
<3.2.19 ,
>=4.0a1,<4.1.9 ,
>=4.2a1,<4.2.1
|
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
https://www.djangoproject.com/weblog/2023/may/03/security-releases
|
django
|
3.0
|
>=1.11a1,<1.11.27 ,
>=2.0a1,<2.2.9 ,
>=3.0a1,<3.0.1
|
show Django 1.11.27, 2.2.9 and 3.0.1 include a fix for CVE-2019-19844: Account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. One mitigation in the new releases is to send password reset tokens only to the registered user email address.
|
django
|
3.0
|
<2.2.16 ,
>=3.0a1,<3.0.10 ,
>=3.1a1,<3.1.1
|
show Django 2.2.16, 3.0.10 and 3.1.1 include a fix for CVE-2020-24583: An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
#NOTE: This vulnerability affects only users of Python versions above 3.7.
https://www.djangoproject.com/weblog/2020/sep/01/security-releases
|
django
|
3.0
|
<2.2.16 ,
>=3.0a1,<3.0.10 ,
>=3.1a1,<3.1.1
|
show An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
|
django
|
3.0
|
>=2.2a1,<2.2.20 ,
>=3.0a1,<3.0.14 ,
>=3.1a1,<3.1.8
|
show In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
|
django
|
3.0
|
<3.2.18 ,
>=4.0a1,<4.0.10 ,
>=4.1a1,<4.1.7
|
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.
https://www.djangoproject.com/weblog/2023/feb/14/security-releases
|
django
|
3.0
|
<2.2.28 ,
>=3.0a1,<3.2.13 ,
>=4.0a1,<4.0.4
|
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
https://www.djangoproject.com/weblog/2022/apr/11/security-releases
|
django
|
3.0
|
>=3.2a1,<3.2.1 ,
<2.2.21 ,
>=3.0a1,<3.1.9
|
show Django 2.2.21, 3.1.9 and 3.2.1 include a fix for CVE-2021-31542: MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
https://www.djangoproject.com/weblog/2021/may/04/security-releases
|
django
|
3.0
|
>=4.0a1,<4.1.10 ,
>=4.2a1,<4.2.3 ,
<3.2.20
|
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs.
|
django
|
3.0
|
<3.2.25 ,
>=4.0a1,<4.2.11 ,
>=5.0a1,<5.0.3
|
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).
|
django
|
3.0
|
<2.2.24 ,
>=3.0a1,<3.1.12 ,
>=3.2a1,<3.2.4
|
show Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
https://www.djangoproject.com/weblog/2021/jun/02/security-releases
|
django
|
3.0
|
>=1.11a1,<1.11.28 ,
>=2.0a1,<2.2.10 ,
>=3.0a1,<3.0.3
|
show Django 1.11.28, 2.2.10 and 3.0.3 include a fix for CVE-2020-7471: SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
|
django
|
3.0
|
>=3.0a1,<3.0.7 ,
>=2.2a1,<2.2.13
|
show An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
|
django
|
3.0
|
>=2.0a1,<2.2.18 ,
>=3.0a1,<3.0.12 ,
>=3.1a1,<3.1.6
|
show Django 2.2.18, 3.0.12 and 3.1.6 include a fix for CVE-2021-3281: The django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
|
django
|
3.0
|
<2.2.26 ,
>=3.0a1,<3.2.11 ,
>=4.0a1,<4.0.1
|
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
|
django
|
3.0
|
>=3.0.0a1,<3.1.12 ,
>=3.2.0a1,<3.2.4 ,
<2.2.24
|
show Django 2.2.24, 3.1.12, and 3.2.4 include a fix for CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+).
https://www.djangoproject.com/weblog/2021/jun/02/security-releases
|
django
|
3.0
|
<3.2.22 ,
>=4.0a1,<4.1.12 ,
>=4.2a1,<4.2.6
|
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
|
django
|
3.0
|
<3.2.21 ,
>=4.0a1,<4.1.11 ,
>=4.2a1,<4.2.5
|
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri().
|
django
|
3.0
|
<2.2.26 ,
>=3.0a1,<3.2.11 ,
>=4.0a1,<4.0.1
|
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
|
django
|
3.0
|
<3.2.24 ,
>=4.0a1,<4.2.10 ,
>=5.0a1,<5.0.2
|
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings.
|
django
|
3.0
|
<3.2.15 ,
>=4.0a1,<4.0.7
|
show Django 3.2.15 and 4.0.7 include a fix for CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
https://www.djangoproject.com/weblog/2022/aug/03/security-releases
|
django-allauth
|
0.40.0
|
<0.47.0
|
show Django-allauth 0.47.0 adds a new setting 'SOCIALACCOUNT_LOGIN_ON_GET' that controls whether or not the endpoints for initiating a social login (for example, "/accounts/google/login/") require a POST request to initiate the handshake. As requiring a POST is more secure, the default of this new setting is 'False'. This is useful to prevent redirect attacks.
|
django-allauth
|
0.40.0
|
<0.54.0
|
show Django-allauth 0.54.0 includes a security fix: Even when account enumeration prevention was turned on, it was possible for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.
|
django-allauth
|
0.40.0
|
<0.41.0
|
show Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release. See CVE-2019-19844 and <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>.
|