Vulnerabilities > Djangoproject > Django > 1.9.9

DATE CVE VULNERABILITY TITLE RISK
2021-06-08 CVE-2021-33203 Path Traversal vulnerability in multiple products
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs.
network
low complexity
djangoproject fedoraproject CWE-22
4.9
4.9
2019-12-18 CVE-2019-19844 Weak Password Recovery Mechanism for Forgotten Password vulnerability in multiple products
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover.
network
low complexity
djangoproject canonical CWE-640
critical
 9.8
9.8
2017-04-04 CVE-2017-7234 Open Redirect vulnerability in Djangoproject Django
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
network
low complexity
djangoproject CWE-601
6.1
6.1
2017-04-04 CVE-2017-7233 Open Redirect vulnerability in Djangoproject Django
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL.
network
low complexity
djangoproject CWE-601
6.1
6.1
2016-12-09 CVE-2016-9014 Permissions, Privileges, and Access Controls vulnerability in multiple products
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
network
high complexity
fedoraproject canonical djangoproject CWE-264
8.1
8.1
2016-12-09 CVE-2016-9013 Use of Hard-coded Credentials vulnerability in multiple products
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
network
low complexity
djangoproject canonical fedoraproject CWE-798
critical
 9.8
9.8
2016-10-03 CVE-2016-7401 7PK - Security Features vulnerability in multiple products
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
network
low complexity
canonical djangoproject debian CWE-254
7.5
7.5