Vulnerabilities > Djangoproject > Django > Medium

DATE CVE VULNERABILITY TITLE RISK
2011-02-14 CVE-2011-0697 Cross-Site Scripting vulnerability in Djangoproject Django
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
4.3
2011-02-14 CVE-2011-0696 Cross-Site Request Forgery (CSRF) vulnerability in Djangoproject Django
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
6.8
2011-01-10 CVE-2010-4535 Improper Input Validation vulnerability in Djangoproject Django
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
network
low complexity
djangoproject CWE-20
5.0
2011-01-10 CVE-2010-4534 Permissions, Privileges, and Access Controls vulnerability in Djangoproject Django
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
network
low complexity
djangoproject CWE-264
4.0
2010-09-14 CVE-2010-3082 Cross-Site Scripting vulnerability in Djangoproject Django 1.2.1/1.2.2
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
4.3
2009-10-13 CVE-2009-3695 Remote Denial of Service vulnerability in Django 'EmailField' and 'URLField'
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
network
low complexity
djangoproject
5.0