Vulnerabilities > Djangoproject > Django > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-12-02 | CVE-2019-19118 | Incorrect Default Permissions vulnerability in multiple products Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. | 6.5 |
2019-07-01 | CVE-2019-12781 | Cleartext Transmission of Sensitive Information vulnerability in multiple products An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. | 5.3 |
2019-06-03 | CVE-2019-12308 | Cross-site Scripting vulnerability in Djangoproject Django An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. | 6.1 |
2019-01-09 | CVE-2019-3498 | Injection vulnerability in multiple products In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. | 6.5 |
2018-10-02 | CVE-2018-16984 | Insufficiently Protected Credentials vulnerability in Djangoproject Django 2.1/2.1.1 An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. | 4.0 |
2018-08-03 | CVE-2018-14574 | Open Redirect vulnerability in multiple products django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. | 5.8 |
2018-03-09 | CVE-2018-7537 | Incorrect Regular Expression vulnerability in multiple products An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. | 5.0 |
2018-03-09 | CVE-2018-7536 | Incorrect Regular Expression vulnerability in multiple products An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. | 5.3 |
2018-02-05 | CVE-2018-6188 | Information Exposure vulnerability in multiple products django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. | 5.0 |
2017-09-07 | CVE-2017-12794 | Cross-site Scripting vulnerability in Djangoproject Django In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. | 4.3 |