Latest djangoproject django Vulnerabilities

CVE-2024-24680
Django CVE-2024-24680: Potential denial-of-service in intcomma template filter
pip/django>=5.0<5.0.2
pip/django>=4.2<4.2.10
pip/django<3.2.24
ubuntu/python-django<1:1.11.11-1ubuntu1.21+
ubuntu/python-django<2:2.2.12-1ubuntu0.21
ubuntu/python-django<2:3.2.12-2ubuntu1.10
and 9 more
CVE-2023-46695
Django: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
Djangoproject Django>=3.2<3.2.23
Djangoproject Django>=4.1<4.1.13
Djangoproject Django>=4.2.<4.2.7
pip/Django>=4.2<4.2.7
pip/Django>=4.1<4.1.13
pip/Django>=3.2<3.2.23
CVE-2023-43665
Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
pip/django>=4.2<4.2.6
pip/django>=4.1<4.1.12
pip/django>=3.2<3.2.22
Djangoproject Django>=3.2<3.2.22
Djangoproject Django>=4.1<4.1.12
Djangoproject Django>=4.2<4.2.6
and 11 more
CVE-2023-41164
Django: CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()
Djangoproject Django>=3.2<3.2.21
Djangoproject Django>=4.1<4.1.11
Djangoproject Django>=4.2<4.2.5
Fedoraproject Fedora=39
pip/django>=4.2<4.2.5
pip/django>=4.1<4.1.11
and 11 more
CVE-2023-36053
``EmailValidator`` and ``URLValidator`` were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs. Affected versions: Djan...
ubuntu/python-django<4.2.3<4.1.10<3.2.20
ubuntu/python-django<2:2.2.12-1ubuntu0.18
ubuntu/python-django<2:3.2.12-2ubuntu1.7
ubuntu/python-django<3:3.2.15-1ubuntu1.4
ubuntu/python-django<3:3.2.18-1ubuntu0.3
ubuntu/python-django<1:1.11.11-1ubuntu1.21+
and 15 more
CVE-2023-31047
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been suppor...
ubuntu/python-django<1:1.11.11-1ubuntu1.21
ubuntu/python-django<2:2.2.12-1ubuntu0.17
ubuntu/python-django<2:3.2.12-2ubuntu1.6
ubuntu/python-django<3:3.2.15-1ubuntu1.3
ubuntu/python-django<3:3.2.18-1ubuntu0.1
ubuntu/python-django<4.2.1<4.1.9<3.2.19
and 13 more
CVE-2023-24580
A memory exhaustion flaw was found in the python-django package. This issue occurs when passing certain inputs, leading to a system crash and denial of service.
redhat/automation-controller<0:4.4.2-1.el8a
redhat/automation-controller<0:4.4.2-1.el9a
redhat/python-django<0:3.2.18-1.el8
redhat/python-django<0:3.2.18-1.0.1.el8
Djangoproject Django>=3.2<3.2.18
Djangoproject Django>=4.0<4.0.10
and 8 more
CVE-2023-23969
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-s...
redhat/python-django<0:3.2.18-1.el8
redhat/python-django<0:3.2.18-1.0.1.el8
Djangoproject Django>=3.2<3.2.17
Djangoproject Django>=4.0<4.0.9
Djangoproject Django>=4.1<4.1.6
Debian Debian Linux=10.0
CVE-2022-41323
A denial of service flaw was discovered in Django. This issue occurs when incorrectly handling certain internationalized URLs. A malicious attacker could use this issue to cause a crash, resulting in ...
pip/django>=4.1<4.1.2
pip/django>=4.0<4.0.8
pip/django>=3.2<3.2.16
redhat/python-django<0:3.2.18-1.el8
redhat/python-django<0:3.2.16-1.0.1.el8
Djangoproject Django>=3.2<3.2.16
and 3 more
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Di...
Djangoproject Django>=3.2<3.2.15
Djangoproject Django>=4.0<4.0.7
Debian Debian Linux=11.0
pip/Django>=4.0<4.0.7
pip/Django>=3.2<3.2.15
debian/python-django
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name ...
redhat/python-django<0:3.2.14-2.el8
redhat/python-django<0:3.2.14-3.el8
Djangoproject Django>=3.2<3.2.14
Djangoproject Django>=4.0<4.0.6
pip/django>=4.0<4.0.6
pip/django>=3.2<3.2.14
and 4 more
CVE-2022-28347
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion)...
pip/Django>=4.0<4.0.4
pip/Django>=3.2<3.2.13
pip/Django>=2.2<2.2.28
redhat/Django<4.0.4
redhat/Django<3.2.13
redhat/Django<2.2.28
and 11 more
CVE-2022-28346
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases...
redhat/automation-controller<0:4.1.2-2.el8a
redhat/python-django<0:3.2.13-1.el8
redhat/python3-django<0:2.2.28-1.el7
redhat/python3-django<0:2.2.28-1.el8
redhat/python-django20<0:2.0.13-18.el8
redhat/python-django20<0:2.0.13-17.el8
and 14 more
CVE-2022-23833
A flaw was found in Django. The issue occurs when passing certain inputs to multipart forms, resulting in an infinite loop when parsing files.
redhat/python-django20<0:2.0.13-18.el8
redhat/python-django<0:3.2.13-1.el8
Djangoproject Django>=2.2<2.2.27
Djangoproject Django>=3.2<3.2.12
Djangoproject Django>=4.0<4.0.2
Fedoraproject Fedora=34
and 9 more
CVE-2022-22818
A flaw was found in Django. The ``{% debug %}`` template tag did not properly encode the current context, posing a Cross-site scripting attack vector (XSS).
redhat/python-django20<0:2.0.13-18.el8
redhat/python-django<0:3.2.13-1.el8
redhat/python-django<0:3.2.14-2.el8
debian/2:2.2.25-1~deb11u1
debian/2:3.2.11-2
debian/python-django<=1:1.11.29-1~deb10u1
and 14 more
CVE-2021-45452
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
Djangoproject Django>=2.2<2.2.26
Djangoproject Django>=3.2<3.2.11
Djangoproject Django>=4.0<4.0.1
Fedoraproject Fedora=35
redhat/Django<4.0.1
redhat/Django<3.2.11
and 4 more
CVE-2021-45115
:class:`.UserAttributeSimilarityValidator` incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access ...
pip/Django>=4.0.0<4.0.1
pip/Django>=3.2.0<3.2.11
pip/Django>=2.2.0<2.2.26
redhat/Django<4.0.1
redhat/Django<3.2.11
redhat/Django<2.2.26
and 4 more
CVE-2021-45116
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter w...
redhat/python-django<0:3.2.13-1.el8
Djangoproject Django>=2.2<2.2.26
Djangoproject Django>=3.2<3.2.11
Djangoproject Django>=4.0<4.0.1
Fedoraproject Fedora=35
pip/Django>=4.0.0<4.0.1
and 2 more
CVE-2021-44420
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
redhat/django<3.2.10
redhat/django<3.1.14
redhat/django<2.2.25
redhat/python-django<0:3.2.13-1.el8
redhat/python-django<0:3.2.16-1.0.1.el8
Djangoproject Django>=2.2<2.2.25
and 9 more
CVE-2021-35042
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
pip/Django>=3.0.0<3.1.13
pip/Django>=3.2.0<3.2.5
Djangoproject Django>=3.1<3.1.13
Djangoproject Django>=3.2<3.2.5
Fedoraproject Fedora=34
>=3.1<3.1.13
and 2 more
CVE-2021-33571
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This ma...
pip/django>=3.2.0<3.2.4
pip/django>=3.0.0<3.1.12
pip/django>=2.2.0<2.2.24
Djangoproject Django>=2.2<2.2.24
Djangoproject Django>=3.0<3.1.12
Djangoproject Django>=3.2<3.2.4
and 3 more
CVE-2021-33203
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the exist...
redhat/python-django20<0:2.0.13-16.el8
redhat/python3-django<0:2.2.24-1.el7
Djangoproject Django<2.2.24
Djangoproject Django>=3.0.0<3.1.12
Djangoproject Django>=3.2.0<3.2.4
Fedoraproject Fedora=35
and 3 more
CVE-2021-32052
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application ...
Djangoproject Django>=2.2<2.2.22
Djangoproject Django>=3.1<3.1.10
Djangoproject Django>=3.2<3.2.2
Python Python>=3.9.5
Fedoraproject Fedora=34
CVE-2021-31542
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
pip/Django>=3.2.0<3.2.1
pip/Django>=3.0.0<3.1.9
pip/Django>=2.2.0<2.2.21
redhat/python-django20<0:2.0.13-16.el8
redhat/python3-django<0:2.2.24-1.el7
Djangoproject Django>=2.2<2.2.21
and 14 more
CVE-2021-28658
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not...
Djangoproject Django>=2.2<2.2.20
Djangoproject Django>=3.0<3.0.14
Djangoproject Django>=3.1<3.1.8
Debian Debian Linux=9.0
Fedoraproject Fedora=34
CVE-2021-23336
Python CPython could allow a remote attacker to bypass security restrictions, caused by a web cache poisoning flaw via urllib.parse.parse_qsl and urllib.parse.parse_qs. By sending a specially-crafted ...
IBM Cloud Pak for Security (CP4S)<=1.7.2.0
IBM Cloud Pak for Security (CP4S)<=1.7.1.0
IBM Cloud Pak for Security (CP4S)<=1.7.0.0
Python Python<3.6.13
Python Python>=3.7.0<3.7.10
Python Python>=3.8.0<3.8.8
and 28 more
CVE-2021-3281
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal v...
redhat/automation-hub<0:4.2.2-1.el7
redhat/python3-django<0:2.2.18-1.el7
redhat/python-bleach<0:3.3.0-1.el7
redhat/python-bleach-allowlist<0:1.0.3-1.el7
redhat/python-galaxy-importer<0:0.2.15-1.el7
redhat/python-galaxy-ng<0:4.2.2-1.el7
and 17 more
CVE-2020-24583
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level di...
pip/django>=3.1<3.1.1
pip/django>=3.0<3.0.10
pip/django>=2.2<2.2.16
Djangoproject Django>=2.2<2.2.16
Djangoproject Django>=3.0<3.0.10
Djangoproject Django>=3.1<3.1.1
and 8 more
CVE-2020-24584
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's sta...
Djangoproject Django>=2.2<2.2.16
Djangoproject Django>=3.0<3.0.10
Djangoproject Django>=3.1<3.1.1
Canonical Ubuntu Linux=20.04
Fedoraproject Fedora=31
Fedoraproject Fedora=32
and 8 more
CVE-2020-13254
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collisi...
pip/django>=3.0.0<3.0.7
pip/django>=2.0.0<2.2.13
Djangoproject Django>=2.2<2.2.13
Djangoproject Django>=3.0<3.0.7
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
and 17 more
CVE-2020-13596
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility o...
Djangoproject Django>=2.2<2.2.13
Djangoproject Django>=3.0<3.0.7
Fedoraproject Fedora=32
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
and 16 more
CVE-2020-9402
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suit...
redhat/pulp<0:2.21.5-2.el7
redhat/python-django<0:1.11.29-1.el7
Djangoproject Django>=1.11<1.11.29
Djangoproject Django>=2.2<2.2.11
Djangoproject Django>=3.0<3.0.4
Debian Debian Linux=9.0
and 18 more
CVE-2020-7471
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data a...
pip/django>=3.0.0<3.0.3
pip/django>=2.0.0<2.2.10
pip/django<1.11.28
debian/python-django<=1:1.11.27-1~deb10u1<=2:2.2.9-2
Djangoproject Django>=1.11<1.11.28
Djangoproject Django>=2.2<2.2.10
and 5 more
CVE-2019-19844
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of ...
pip/django>=3.0.0<3.0.1
pip/django>=2.0.0<2.2.9
pip/django<1.11.27
debian/python-django<=1:1.11.23-1~deb10u1<=1:1.10.7-2+deb9u6
debian/2:2.2.8-1
Djangoproject Django<1.11.27
and 18 more
CVE-2019-19118
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edi...
Djangoproject Django>=2.1<2.1.15
Djangoproject Django>=2.2<2.2.8
Fedoraproject Fedora=31
pip/django>=2.2.0<2.2.8
pip/django>=2.1.0<2.1.15
CVE-2019-14235
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage ...
Djangoproject Django>=1.11<1.11.23
Djangoproject Django>=2.1<2.1.11
Djangoproject Django>=2.2<2.2.4
openSUSE Leap=15.1
redhat/python-django<0:1.11.27-1.el7
redhat/python-django<0:2.1.11-1.el8
and 1 more
CVE-2019-14234
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.f...
pip/django>=2.2.0<2.2.4
pip/django>=2.1.0<2.1.11
pip/django>=1.11.0<1.11.23
Djangoproject Django>=1.11<1.11.23
Djangoproject Django>=2.1<2.1.11
Djangoproject Django>=2.2<2.2.4
and 6 more
CVE-2019-14233
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely...
pip/django>=2.2.0<2.2.4
pip/django>=2.1.0<2.1.11
pip/django>=1.11.0<1.11.23
debian/python-django
redhat/python-django<1.11.23
redhat/python-django<2.1.11
and 7 more
CVE-2019-14232
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If `django.utils.text.Truncator`'s `chars()` and `words()` methods were passed the `html=True` arg...
Djangoproject Django>=1.11<1.11.23
Djangoproject Django>=2.1<2.1.11
Djangoproject Django>=2.2<2.2.4
openSUSE Leap=15.1
debian/1.7.11-1+deb8u6
debian/2:2.2.3-5
and 9 more
CVE-2019-12781
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT sett...
pip/django>=2.2.0<2.2.3
pip/django>=2.1.0<2.1.10
pip/django>=1.11.0<1.11.22
redhat/python-django<0:1.11.27-1.el7
redhat/python-django<0:2.1.11-1.el8
redhat/ansible-collection-redhat-satellite<0:1.3.0-1.el7
and 294 more
CVE-2019-12308
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without ...
pip/django>=2.2.0<2.2.2
pip/django>=2.1.0<2.1.9
pip/django>=1.11.0<1.11.21
Djangoproject Django>=1.11<1.11.21
Djangoproject Django>=2.1<2.1.9
Djangoproject Django>=2.2<2.2.2
and 5 more
CVE-2019-6975
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() funct...
pip/django>=2.1.0<2.1.6
pip/django>=2.0.0<2.0.11
pip/django<1.11.19
Djangoproject Django>=1.11.0<1.11.19
Djangoproject Django>=2.0.0<2.0.11
Djangoproject Django>=2.1.0<2.1.6
and 10 more
CVE-2019-3498
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defau...
pip/django>=2.1.0<2.1.5
pip/django>=2.0.0<2.0.10
pip/django<1.11.18
Djangoproject Django>=1.11<1.11.18
Djangoproject Django>=2.0<2.0.10
Djangoproject Django>=2.1<2.1.5
and 13 more
CVE-2018-16984
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an...
pip/django>=2.1<2.1.2
Djangoproject Django>=2.1<2.1.2
>=2.1<2.1.2
CVE-2018-14574
`django.middleware.common.CommonMiddleware` in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
pip/django>=2.0<2.0.8
pip/django>=1.11.0<1.11.15
Djangoproject Django>=1.11<1.11.15
Djangoproject Django>=2.0<2.0.8
Debian Debian Linux=9.0
Canonical Ubuntu Linux=18.04
and 6 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203