Vulnerabilities > Djangoproject

DATE CVE VULNERABILITY TITLE RISK
2022-02-03 CVE-2022-23833 Infinite Loop vulnerability in multiple products
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2.
network
low complexity
djangoproject fedoraproject debian CWE-835
7.5
7.5
2022-01-05 CVE-2021-45115 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
network
low complexity
djangoproject fedoraproject
7.5
7.5
2022-01-05 CVE-2021-45116 Improper Input Validation vulnerability in multiple products
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
network
low complexity
djangoproject fedoraproject CWE-20
7.5
7.5
2022-01-05 CVE-2021-45452 Path Traversal vulnerability in multiple products
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
network
low complexity
djangoproject fedoraproject CWE-22
5.3
5.3
2021-12-08 CVE-2021-44420 In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. 7.3
7.3
2021-07-02 CVE-2021-35042 SQL Injection vulnerability in multiple products
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
network
low complexity
djangoproject fedoraproject CWE-89
critical
 9.8
9.8
2021-06-08 CVE-2021-33203 Path Traversal vulnerability in multiple products
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs.
network
low complexity
djangoproject fedoraproject CWE-22
4.9
4.9
2021-06-08 CVE-2021-33571 Server-Side Request Forgery (SSRF) vulnerability in multiple products
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals.
network
low complexity
djangoproject fedoraproject CWE-918
7.5
7.5
2021-05-06 CVE-2021-32052 Cross-site Scripting vulnerability in multiple products
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used).
network
low complexity
djangoproject fedoraproject CWE-79
6.1
6.1
2021-05-05 CVE-2021-31542 Path Traversal vulnerability in multiple products
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
network
low complexity
djangoproject debian fedoraproject CWE-22
7.5
7.5