CVE-2007-0404

Date

August , 

类型
Filename validation issue in translation framework. Full description

影响范围

CVE-2007-0405

Date

January ,  

类型

Apparent “caching” of authenticated user. Full description

Issues under Django’s security process¶
All other security issues have been handled under versions of Django’s security process. These are listed below.



影响范围

October 26, 2007 - CVE-2007-5712

Denial-of-service via arbitrarily-large Accept-Language header. Full description

May 14, 2008 - CVE-2008-2302
XSS via admin login redirect. Full description

September 2, 2008 - CVE-2008-3909
CSRF via preservation of POST data during admin login. Full description

July 28, 2009 - CVE-2009-2659
Directory-traversal in development server media handler. Full description

October 9, 2009 - CVE-2009-3965
Denial-of-service via pathological regular expression performance. Full description

September 8, 2010 - CVE-2010-3082
XSS via trusting unsafe cookie value. Full description

December 22, 2010 - CVE-2010-4534
Information leakage in administrative interface. Full description

December 22, 2010 - CVE-2010-4535
Denial-of-service in password-reset mechanism. Full description

February 8, 2011 - CVE-2011-0696
CSRF via forged HTTP headers. Full description

February 8, 2011 - CVE-2011-0697
XSS via unsanitized names of uploaded files. Full description

February 8, 2011 - CVE-2011-0698
Directory-traversal on Windows via incorrect path-separator handling. Full description

September 9, 2011 - CVE-2011-4136
Session manipulation when using memory-cache-backed session. Full description

September 9, 2011 - CVE-2011-4137
Denial-of-service via URLField.verify_exists. Full description

September 9, 2011 - CVE-2011-4138
Information leakage/arbitrary request issuance via URLField.verify_exists. Full description

September 9, 2011 - CVE-2011-4139
Host header cache poisoning. Full description

September 9, 2011 - CVE-2011-4140
Potential CSRF via Host header. Full description

This notification was an advisory only, so no patches were issued.

July 30, 2012 - CVE-2012-3442
XSS via failure to validate redirect scheme. Full description

July 30, 2012 - CVE-2012-3443
Denial-of-service via compressed image files. Full description

July 30, 2012 - CVE-2012-3444
Denial-of-service via large image files. Full description

October 17, 2012 - CVE-2012-4520
Host header poisoning. Full description

December 10, 2012 - No CVE 1
Additional hardening of Host header handling. Full description

December 10, 2012 - No CVE 2
Additional hardening of redirect validation. Full description

February 19, 2013 - No CVE
Additional hardening of Host header handling. Full description

February 19, 2013 - CVE-2013-1664 / CVE-2013-1665
Entity-based attacks against Python XML libraries. Full description

February 19, 2013 - CVE-2013-0305
Information leakage via admin history log. Full description

February 19, 2013 - CVE-2013-0306
Denial-of-service via formset max_num bypass. Full description

August 13, 2013 - CVE-2013-4249
XSS via admin trusting URLField values. Full description

August 13, 2013 - CVE-2013-6044
Possible XSS via unvalidated URL redirect schemes. Full description

September 10, 2013 - CVE-2013-4315
Directory-traversal via ssi template tag. Full description

September 14, 2013 - CVE-2013-1443
Denial-of-service via large passwords. Full description

Django 1.4 (patch and Python compatibility fix)

April 21, 2014 - CVE-2014-0472
Unexpected code execution using reverse(). Full description

April 21, 2014 - CVE-2014-0473
Caching of anonymous pages could reveal CSRF token. Full description

April 21, 2014 - CVE-2014-0474
MySQL typecasting causes unexpected query results. Full description

May 18, 2014 - CVE-2014-1418
Caches may be allowed to store and serve private data. Full description

May 18, 2014 - CVE-2014-3730
Malformed URLs from user input incorrectly validated. Full description

August 20, 2014 - CVE-2014-0480
reverse() can generate URLs pointing to other hosts. Full description

August 20, 2014 - CVE-2014-0481
File upload denial of service. Full description

August 20, 2014 - CVE-2014-0482
RemoteUserMiddleware session hijacking. Full description

August 20, 2014 - CVE-2014-0483
Data leakage via querystring manipulation in admin. Full description

January 13, 2015 - CVE-2015-0219
WSGI header spoofing via underscore/dash conflation. Full description

January 13, 2015 - CVE-2015-0220
Mitigated possible XSS attack via user-supplied redirect URLs. Full description

January 13, 2015 - CVE-2015-0221
Denial-of-service attack against django.views.static.serve(). Full description

January 13, 2015 - CVE-2015-0222
Database denial-of-service with ModelMultipleChoiceField. Full description

March 9, 2015 - CVE-2015-2241
XSS attack via properties in ModelAdmin.readonly_fields. Full description

March 18, 2015 - CVE-2015-2316
Denial-of-service possibility with strip_tags(). Full description

March 18, 2015 - CVE-2015-2317
Mitigated possible XSS attack via user-supplied redirect URLs. Full description

May 20, 2015 - CVE-2015-3982
Fixed session flushing in the cached_db backend. Full description

July 8, 2015 - CVE-2015-5143
Denial-of-service possibility by filling session store. Full description

July 8, 2015 - CVE-2015-5144
Header injection possibility since validators accept newlines in input. Full description

July 8, 2015 - CVE-2015-5145
Denial-of-service possibility in URL validation. Full description

August 18, 2015 - CVE-2015-5963 / CVE-2015-5964
Denial-of-service possibility in logout() view by filling session store. Full description

November 24, 2015 - CVE-2015-8213
Settings leak possibility in date template filter. Full description

February 1, 2016 - CVE-2016-2048
User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

March 1, 2016 - CVE-2016-2512
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description

March 1, 2016 - CVE-2016-2513
User enumeration through timing difference on password hasher work factor upgrade. Full description

July 18, 2016 - CVE-2016-6186
XSS in admin’s add/change related popup. Full description

September 26, 2016 - CVE-2016-7401
CSRF protection bypass on a site with Google Analytics. Full description

November 1, 2016 - CVE-2016-9013
User with hardcoded password created when running tests on Oracle. Full description

November 1, 2016 - CVE-2016-9014
DNS rebinding vulnerability when DEBUG=True. Full description

April 4, 2017 - CVE-2017-7233
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description

April 4, 2017 - CVE-2017-7234
Open redirect vulnerability in django.views.static.serve(). Full description

September 5, 2017 - CVE-2017-12794
Possible XSS in traceback section of technical 500 debug page. Full description

February 1, 2018 - CVE-2018-6188
Information leakage in AuthenticationForm. Full description

March 6, 2018 - CVE-2018-7536
Denial-of-service possibility in urlize and urlizetrunc template filters. Full description

March 6, 2018 - CVE-2018-7537
Denial-of-service possibility in truncatechars_html and truncatewords_html template filters. Full description

August 1, 2018 - CVE-2018-14574
Open redirect possibility in CommonMiddleware. Full description

October 1, 2018 - CVE-2018-16984
Password hash disclosure to “view only” admin users. Full description

January 4, 2019 - CVE-2019-3498
Content spoofing possibility in the default 404 page. Full description

February 11, 2019 - CVE-2019-6975
Memory exhaustion in django.utils.numberformat.format(). Full description

June 3, 2019 - CVE-2019-11358
Prototype pollution in bundled jQuery. Full description

June 3, 2019 - CVE-2019-12308
XSS via “Current URL” link generated by AdminURLFieldWidget. Full description

July 1, 2019 - CVE-2019-12781
Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description

August 1, 2019 - CVE-2019-14232
Denial-of-service possibility in django.utils.text.Truncator. Full description

August 1, 2019 - CVE-2019-14233
Denial-of-service possibility in strip_tags(). Full description

August 1, 2019 - CVE-2019-14234

SQL injection possibility in key and index lookups for JSONField/HStoreField. Full description

CVE-2019-14235

Date
August , 2019

类型
Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full description

CVE-2019-19118

Date
December , 

类型
Privilege escalation in the Django admin. Full description

影响范围

 CVE-2019-19844

Date

December , 

类型
Potential account hijack via password reset form. Full description

影响范围

应用安全 - 编程语言 | 框架 - PHP - Djiango - 漏洞 -汇总的更多相关文章

  1. 应用安全 - Web框架 - Apache Solr - 漏洞汇总

    CVE-2019-12409 Date: // 类型: 配置不当导致远程代码执行 前置条件: 影响范围: Solr and for Linux Solr下载:https://www.apache.or ...

  2. 应用安全 - 工具|框架 - Java - Jenkins - 漏洞 - 汇总

    未授权访问 /script /manage/asynchPeople//config.xml CVE-2015-8103 Date 2015.11 类型反序列化导致远程命令执行 影响范围Jenkins ...

  3. 应用安全 - Web框架 - 数据库管理 - phpMyAdmin - 漏洞汇总

    CVE-2019-18622 Date: 2019.10.28 类型: SQL injection in Designer feature 影响范围: phpMyAdmin versions prio ...

  4. 应用安全 - Web框架 - Apache Flink - 漏洞汇总

    SSV ID:SSV-98101 -- 类型: 文件上传导致远程代码执行   flink下载: https://www.apache.org/dyn/closer.lua/flink/flink-1. ...

  5. Apache Shiro 漏洞汇总

    Apache Shiro 漏洞汇总 以下是我个人通过收集信息收集起来的一些Apache Shiro漏洞信息,这些漏洞的poc都是公开的,利用起来也是比较简单 Apache Shiro是什么东西: Ap ...

  6. IFrame安全问题解决办法(跨框架脚本(XFS)漏洞)

    最近项目要交付了,对方安全测试的时候检测出高危险漏洞,由于刚参加工作不久,经验不足,未涉及过此方面的东西.经过一番查询和探索,最终解决了这个问题,记录一下. 发现的漏洞为缺少跨框架脚本保护.跨框架脚本 ...

  7. SZhe_Scan碎遮:一款基于Flask框架的web漏洞扫描神器

    SZhe_Scan碎遮:一款基于Flask框架的web漏洞扫描神器 天幕如遮,唯我一刀可碎千里华盖,纵横四海而无阻,是谓碎遮 --取自<有匪> 写在前面 这段时间很多时间都在忙着编写该项目 ...

  8. 应用安全 - JavaScript - 框架 - Jquery - 漏洞 - 汇总

    jQuery CVE-2019-11358 Date 类型 原型污染 影响范围 CVE-2015-9251  Date 类型跨站 影响范围<jQuery 3.0.0

  9. 应用安全 - 编程语言漏洞 - PHP语言漏洞汇总

    CVE-2019-11043 Date: 类型: 远程代码执行 前置条件: Nginx + fastcgi + php-fpm 配置文件信息如下: location ~ [^/]\.php(/|$) ...

随机推荐

  1. Linux/Ubantu 安装 idea

    wget 使用 wget url (这里的url就是你要下载idea的网站) 在idea官网中 找到 direct link 右键复制链接 在 linux 中 打开 终端命令窗口 (Ctrl +Alt ...

  2. cnblogs设置各级标题样式和目录

    向博客园申请js权限 我们需要进入博客园自定义博客模板的页面,向博客园管理团队申请页面运行js的权限. [博客园]->[设置]->[博客设置],点击页面上的js权限申请,然后填写申请的理由 ...

  3. django之表多对多建立方式、form组件、钩子函数 08

    目录 多对多三种创建方式 1.全自动(用ManyToManyField创建第三张表) 2.纯手写 3.半自动 form组件 引入 form组件的使用 forms组件渲染标签 form表单展示信息 fo ...

  4. Amazon Redshift and the Case for Simpler Data Warehouses

    Redshift是Amazon一个商业产品上的进化 但并不是技术的进化,他使用的无非都是传统数仓领域的技术 如果说创新,就是大量使用Amazon本身的云服务的云原生架构,大大提升的产品的迭代速度,可维 ...

  5. RPM软件管理

    1.源代码形式 绝大多数软件都是以源代码形式发布的:     因为开源的理念是不重复造轮子:让其它不以商业为目的人都能修改这个软件:   源代码一般会被打包成tar.gz的压缩归档文件: 程序源代码需 ...

  6. JVM(八),垃圾回收标记算法

    八.垃圾回收标记算法 1.对象被判定成垃圾的标准 没有被其他对象引用 2.判断对象是否为垃圾的算法 (1)引用计数法 优点and缺点 (2)可达性分析算法

  7. vivo 手机 video 标签无法播放视频解决方案

    1. 针对 vivo 手机单独设置 video 标签加上 controls 此时video 可以点击播放,但是有进度条存在. 2. 将 video 隐藏,用一张图片定位在在 video 所在的位置,点 ...

  8. 7.6 T1 深度优先搜索(dfs)

    深度优先搜索(dfs) [题目描述] sol:50pts随便写写,就是大众分了,直接n2dpOK,100分要找点规律,需要数学头脑 官方题解 //#include <bits/stdc++.h& ...

  9. LeetCode---Sort && Segment Tree && Greedy

    307. Range Sum Query - Mutable 思路:利用线段树,注意数据结构的设计以及建树过程利用线段树,注意数据结构的设计以及建树过程 public class NumArray { ...

  10. SRS之SrsRtmpConn::publishing详解

    1. SrsRtmpConn::publishing int SrsRtmpConn::publishing(SrsSource* source) { int ret = ERROR_SUCCESS; ...