Vulnerabilities > Djangoproject > Django > 1.8.0
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-06-08 | CVE-2021-33203 | Path Traversal vulnerability in multiple products Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. | 4.9 |
2019-12-18 | CVE-2019-19844 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in multiple products Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. | 9.8 |
2018-03-09 | CVE-2018-7537 | Incorrect Regular Expression vulnerability in multiple products An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. | 5.0 |
2018-03-09 | CVE-2018-7536 | Incorrect Regular Expression vulnerability in multiple products An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. | 5.3 |
2017-04-04 | CVE-2017-7234 | Open Redirect vulnerability in Djangoproject Django A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. | 5.8 |
2017-04-04 | CVE-2017-7233 | Open Redirect vulnerability in Djangoproject Django Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. | 5.8 |
2016-10-03 | CVE-2016-7401 | 7PK - Security Features vulnerability in multiple products The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. | 5.0 |
2016-08-05 | CVE-2016-6186 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. | 6.1 |
2015-12-07 | CVE-2015-8213 | Information Exposure vulnerability in Djangoproject Django The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. | 5.0 |
2015-08-24 | CVE-2015-5964 | Resource Management Errors vulnerability in multiple products The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. | 5.0 |