Vulnerabilities > Djangoproject > Critical
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-07 | CVE-2023-31047 | Improper Input Validation vulnerability in multiple products In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. | 9.8 |
2022-07-04 | CVE-2022-34265 | SQL Injection vulnerability in Djangoproject Django An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. | 9.8 |
2022-04-12 | CVE-2022-28346 | SQL Injection vulnerability in multiple products An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. | 9.8 |
2022-04-12 | CVE-2022-28347 | SQL Injection vulnerability in multiple products A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. | 9.8 |
2021-07-02 | CVE-2021-35042 | SQL Injection vulnerability in multiple products Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. | 9.8 |
2020-02-03 | CVE-2020-7471 | SQL Injection vulnerability in Djangoproject Django Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). | 9.8 |
2019-12-18 | CVE-2019-19844 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in multiple products Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. | 9.8 |
2019-08-09 | CVE-2019-14234 | SQL Injection vulnerability in multiple products An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. | 9.8 |
2016-12-09 | CVE-2016-9013 | Use of Hard-coded Credentials vulnerability in multiple products Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. | 9.8 |
2014-04-23 | CVE-2014-0474 | Resource Management Errors vulnerability in multiple products The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." | 10.0 |