Vulnerabilities > Djangoproject > Django > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-12-02 CVE-2019-19118 Incorrect Default Permissions vulnerability in multiple products
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing.
network
low complexity
djangoproject fedoraproject CWE-276
6.5
2019-07-01 CVE-2019-12781 Cleartext Transmission of Sensitive Information vulnerability in multiple products
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3.
network
low complexity
djangoproject canonical debian CWE-319
5.3
2019-06-03 CVE-2019-12308 Cross-site Scripting vulnerability in Djangoproject Django
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2.
network
low complexity
djangoproject CWE-79
6.1
2019-01-09 CVE-2019-3498 Injection vulnerability in multiple products
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
6.5
2018-10-02 CVE-2018-16984 Insufficiently Protected Credentials vulnerability in Djangoproject Django 2.1/2.1.1
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts.
network
low complexity
djangoproject CWE-522
4.0
2018-08-03 CVE-2018-14574 Open Redirect vulnerability in multiple products
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
5.8
2018-03-09 CVE-2018-7537 Incorrect Regular Expression vulnerability in multiple products
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19.
network
low complexity
canonical djangoproject debian CWE-185
5.0
2018-03-09 CVE-2018-7536 Incorrect Regular Expression vulnerability in multiple products
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19.
network
low complexity
canonical djangoproject debian redhat CWE-185
5.3
2018-02-05 CVE-2018-6188 Information Exposure vulnerability in multiple products
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
network
low complexity
djangoproject canonical CWE-200
5.0
2017-09-07 CVE-2017-12794 Cross-site Scripting vulnerability in Djangoproject Django
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page.
4.3