Vulnerabilities > Djangoproject > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2011-10-19 | CVE-2011-4136 | Improper Input Validation vulnerability in Djangoproject Django django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. | 5.8 |
2011-02-14 | CVE-2011-0697 | Cross-Site Scripting vulnerability in Djangoproject Django Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. | 4.3 |
2011-02-14 | CVE-2011-0696 | Cross-Site Request Forgery (CSRF) vulnerability in Djangoproject Django Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447. | 6.8 |
2011-01-10 | CVE-2010-4535 | Improper Input Validation vulnerability in Djangoproject Django The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. | 5.0 |
2011-01-10 | CVE-2010-4534 | Permissions, Privileges, and Access Controls vulnerability in Djangoproject Django The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. | 4.0 |
2010-09-14 | CVE-2010-3082 | Cross-Site Scripting vulnerability in Djangoproject Django 1.2.1/1.2.2 Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie. | 4.3 |
2009-10-13 | CVE-2009-3695 | Remote Denial of Service vulnerability in Django 'EmailField' and 'URLField' Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression. | 5.0 |