Vulnerabilities > Djangoproject
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-06 | CVE-2021-28658 | Path Traversal vulnerability in multiple products In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. | 5.3 |
| 2021-02-22 | CVE-2020-35681 | Information Exposure vulnerability in Djangoproject Channels 3.0.0/3.0.1/3.0.2 Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. | 7.4 |
| 2021-02-15 | CVE-2021-23336 | HTTP Request Smuggling vulnerability in multiple products The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. | 5.9 |
| 2021-02-02 | CVE-2021-3281 | Path Traversal vulnerability in multiple products In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | 5.3 |
| 2020-09-01 | CVE-2020-24584 | Incorrect Default Permissions vulnerability in multiple products An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). | 7.5 |
| 2020-09-01 | CVE-2020-24583 | Incorrect Default Permissions vulnerability in multiple products An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). | 7.5 |
| 2020-06-03 | CVE-2020-13596 | Cross-site Scripting vulnerability in multiple products An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. | 6.1 |
| 2020-06-03 | CVE-2020-13254 | Improper Certificate Validation vulnerability in multiple products An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. | 5.9 |
| 2020-03-05 | CVE-2020-9402 | SQL Injection vulnerability in multiple products Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. | 8.8 |
| 2020-02-03 | CVE-2020-7471 | SQL Injection vulnerability in Djangoproject Django Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). | 9.8 |