diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index e82c4be41ee8..bf9ab66e8a85 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -30,1120 +30,1120 @@ Some important caveats apply to this information:
patches or releases, only the description, disclosure and CVE will
be listed.
-Issues prior to Django's security process
-=========================================
+Issues under Django's security process
+======================================
-Some security issues were handled before Django had a formalized
-security process in use. For these, new releases may not have been
-issued at the time and CVEs may not have been assigned.
+All security issues have been handled under versions of Django's security
+process. These are listed below.
-August 16, 2006 - :cve:`2007-0404`
-----------------------------------
+February 1, 2021 - :cve:`2021-3281`
+-----------------------------------
-Filename validation issue in translation framework. `Full description
-`__
+Potential directory-traversal via ``archive.extract()``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 0.90 :commit:`(patch) <518d406e53>`
-* Django 0.91 :commit:`(patch) <518d406e53>`
-* Django 0.95 :commit:`(patch) ` (released January 21 2007)
+* Django 3.1 :commit:`(patch) <02e6592835b4559909aa3aaaf67988fef435f624>`
+* Django 3.0 :commit:`(patch) <52e409ed17287e9aabda847b6afe58be2fa9f86a>`
+* Django 2.2 :commit:`(patch) <21e7622dec1f8612c85c2fc37fe8efbfd3311e37>`
-January 21, 2007 - :cve:`2007-0405`
------------------------------------
+September 1, 2020 - :cve:`2020-24584`
+-------------------------------------
-Apparent "caching" of authenticated user. `Full description
-`__
+Permission escalation in intermediate-level directories of the file system
+cache on Python 3.7+. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 0.95 :commit:`(patch) `
-
-Issues under Django's security process
-======================================
-
-All other security issues have been handled under versions of Django's
-security process. These are listed below.
+* Django 3.1 :commit:`(patch) <2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b>`
+* Django 3.0 :commit:`(patch) `
+* Django 2.2 :commit:`(patch) `
-October 26, 2007 - :cve:`2007-5712`
------------------------------------
+September 1, 2020 - :cve:`2020-24583`
+-------------------------------------
-Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full
-description `__
+Incorrect permissions on intermediate-level directories on Python 3.7+. `Full
+description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 0.91 :commit:`(patch) <8bc36e726c9e8c75c681d3ad232df8e882aaac81>`
-* Django 0.95 :commit:`(patch) <412ed22502e11c50dbfee854627594f0e7e2c234>`
-* Django 0.96 :commit:`(patch) <7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`
+* Django 3.1 :commit:`(patch) <934430d22aa5d90c2ba33495ff69a6a1d997d584>`
+* Django 3.0 :commit:`(patch) <08892bffd275c79ee1f8f67639eb170aaaf1181e>`
+* Django 2.2 :commit:`(patch) <375657a71c889c588f723469bd868bd1d40c369f>`
-May 14, 2008 - :cve:`2008-2302`
--------------------------------
+June 3, 2020 - :cve:`2020-13596`
+--------------------------------
-XSS via admin login redirect. `Full description
-`__
+Possible XSS via admin ``ForeignKeyRawIdWidget``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 0.91 :commit:`(patch) <50ce7fb57d>`
-* Django 0.95 :commit:`(patch) <50ce7fb57d>`
-* Django 0.96 :commit:`(patch) <7791e5c050>`
+* Django 3.0 :commit:`(patch) <1f2dd37f6fcefdd10ed44cb233b2e62b520afb38>`
+* Django 2.2 :commit:`(patch) <6d61860b22875f358fac83d903dc629897934815>`
-September 2, 2008 - :cve:`2008-3909`
-------------------------------------
+June 3, 2020 - :cve:`2020-13254`
+--------------------------------
-CSRF via preservation of POST data during admin login. `Full description
-`__
+Potential data leakage via malformed memcached keys. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 0.91 :commit:`(patch) <44debfeaa4473bd28872c735dd3d9afde6886752>`
-* Django 0.95 :commit:`(patch) `
-* Django 0.96 :commit:`(patch) <7e0972bded362bc4b851c109df2c8a6548481a8e>`
+* Django 3.0 :commit:`(patch) <84b2da5552e100ae3294f564f6c862fef8d0e693>`
+* Django 2.2 :commit:`(patch) <07e59caa02831c4569bbebb9eb773bdd9cb4b206>`
-July 28, 2009 - :cve:`2009-2659`
+March 4, 2020 - :cve:`2020-9402`
--------------------------------
-Directory-traversal in development server media handler. `Full description
-`__
+Potential SQL injection via ``tolerance`` parameter in GIS functions and
+aggregates on Oracle. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 0.96 :commit:`(patch) `
-* Django 1.0 :commit:`(patch) `
+* Django 3.0 :commit:`(patch) <26a5cf834526e291db00385dd33d319b8271fc4c>`
+* Django 2.2 :commit:`(patch) `
+* Django 1.11 :commit:`(patch) <02d97f3c9a88adc890047996e5606180bd1c6166>`
-October 9, 2009 - :cve:`2009-3965`
-----------------------------------
+February 3, 2020 - :cve:`2020-7471`
+-----------------------------------
-Denial-of-service via pathological regular expression performance. `Full
-description `__
+Potential SQL injection via ``StringAgg(delimiter)``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.0 :commit:`(patch) <594a28a904>`
-* Django 1.1 :commit:`(patch) `
+* Django 3.0 :commit:`(patch) <505826b469b16ab36693360da9e11fd13213421b>`
+* Django 2.2 :commit:`(patch) `
+* Django 1.11 :commit:`(patch) <001b0634cd309e372edb6d7d95d083d02b8e37bd>`
-September 8, 2010 - :cve:`2010-3082`
-------------------------------------
+December 18, 2019 - :cve:`2019-19844`
+-------------------------------------
-XSS via trusting unsafe cookie value. `Full description
-`__
+Potential account hijack via password reset form. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.2 :commit:`(patch) <7f84657b6b>`
+* Django 3.0 :commit:`(patch) <302a4ff1e8b1c798aab97673909c7a3dfda42c26>`
+* Django 2.2 :commit:`(patch) <4d334bea06cac63dc1272abcec545b85136cca0e>`
+* Django 1.11 :commit:`(patch) `
-December 22, 2010 - :cve:`2010-4534`
+December 2, 2019 - :cve:`2019-19118`
------------------------------------
-Information leakage in administrative interface. `Full description
-`__
+Privilege escalation in the Django admin. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.1 :commit:`(patch) <17084839fd>`
-* Django 1.2 :commit:`(patch) <85207a245b>`
+* Django 3.0 :commit:`(patch) <092cd66cf3c3e175acce698d6ca2012068d878fa>`
+* Django 2.2 :commit:`(patch) <36f580a17f0b3cb087deadf3b65eea024f479c21>`
+* Django 2.1 :commit:`(patch) <103ebe2b5ff1b2614b85a52c239f471904d26244>`
-December 22, 2010 - :cve:`2010-4535`
-------------------------------------
+August 1, 2019 - :cve:`2019-14235`
+----------------------------------
-Denial-of-service in password-reset mechanism. `Full description
-`__
+Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``. `Full
+description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.1 :commit:`(patch) <7f8dd9cbac>`
-* Django 1.2 :commit:`(patch) `
+* Django 2.2 :commit:`(patch) `
+* Django 2.1 :commit:`(patch) <5d50a2e5fa36ad23ab532fc54cf4073de84b3306>`
+* Django 1.11 :commit:`(patch) <869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>`
-February 8, 2011 - :cve:`2011-0696`
------------------------------------
+August 1, 2019 - :cve:`2019-14234`
+----------------------------------
-CSRF via forged HTTP headers. `Full description
-`__
+SQL injection possibility in key and index lookups for
+``JSONField``/``HStoreField``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.1 :commit:`(patch) <408c5c873c>`
-* Django 1.2 :commit:`(patch) <818e70344e>`
+* Django 2.2 :commit:`(patch) <4f5b58f5cd3c57fee9972ab074f8dc6895d8f387>`
+* Django 2.1 :commit:`(patch) `
+* Django 1.11 :commit:`(patch) `
-February 8, 2011 - :cve:`2011-0697`
------------------------------------
+August 1, 2019 - :cve:`2019-14233`
+----------------------------------
-XSS via unsanitized names of uploaded files. `Full description
-`__
+Denial-of-service possibility in ``strip_tags()``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.1 :commit:`(patch) <1966786d2d>`
-* Django 1.2 :commit:`(patch) <1f814a9547>`
+* Django 2.2 :commit:`(patch) `
+* Django 2.1 :commit:`(patch) <5ff8e791148bd451180124d76a55cb2b2b9556eb>`
+* Django 1.11 :commit:`(patch) <52479acce792ad80bb0f915f20b835f919993c72>`
-February 8, 2011 - :cve:`2011-0698`
------------------------------------
-Directory-traversal on Windows via incorrect path-separator handling. `Full
-description `__
+August 1, 2019 - :cve:`2019-14232`
+----------------------------------
+
+Denial-of-service possibility in ``django.utils.text.Truncator``. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.1 :commit:`(patch) <570a32a047>`
-* Django 1.2 :commit:`(patch) <194566480b>`
+* Django 2.2 :commit:`(patch) `
+* Django 2.1 :commit:`(patch) `
+* Django 1.11 :commit:`(patch) <42a66e969023c00536256469f0e8b8a099ef109d>`
-September 9, 2011 - :cve:`2011-4136`
-------------------------------------
+July 1, 2019 - :cve:`2019-12781`
+--------------------------------
-Session manipulation when using memory-cache-backed session. `Full description
-`__
+Incorrect HTTP detection with reverse-proxy connecting via HTTPS. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.2 :commit:`(patch) `
-* Django 1.3 :commit:`(patch) `
+* Django 2.2 :commit:`(patch) <77706a3e4766da5d5fb75c4db22a0a59a28e6cd6>`
+* Django 2.1 :commit:`(patch) <1e40f427bb8d0fb37cc9f830096a97c36c97af6f>`
+* Django 1.11 :commit:`(patch) <32124fc41e75074141b05f10fc55a4f01ff7f050>`
-September 9, 2011 - :cve:`2011-4137`
-------------------------------------
+June 3, 2019 - :cve:`2019-12308`
+--------------------------------
-Denial-of-service via ``URLField.verify_exists``. `Full description
-`__
+XSS via "Current URL" link generated by ``AdminURLFieldWidget``. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.2 :commit:`(patch) <7268f8af86>`
-* Django 1.3 :commit:`(patch) <1a76dbefdf>`
+* Django 2.2 :commit:`(patch) `
+* Django 2.1 :commit:`(patch) <09186a13d975de6d049f8b3e05484f66b01ece62>`
+* Django 1.11 :commit:`(patch) `
-September 9, 2011 - :cve:`2011-4138`
-------------------------------------
+June 3, 2019 - :cve:`2019-11358`
+--------------------------------
-Information leakage/arbitrary request issuance via ``URLField.verify_exists``.
-`Full description
-`__
+Prototype pollution in bundled jQuery. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.2: :commit:`(patch) <7268f8af86>`
-* Django 1.3: :commit:`(patch) <1a76dbefdf>`
+* Django 2.2 :commit:`(patch) `
+* Django 2.1 :commit:`(patch) <95649bc08547a878cebfa1d019edec8cb1b80829>`
-September 9, 2011 - :cve:`2011-4139`
+February 11, 2019 - :cve:`2019-6975`
------------------------------------
-``Host`` header cache poisoning. `Full description
-`__
+Memory exhaustion in ``django.utils.numberformat.format()``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.2 :commit:`(patch) `
-* Django 1.3 :commit:`(patch) <2f7fadc38e>`
+* Django 2.1 :commit:`(patch) <40cd19055773705301c3428ed5e08a036d2091f3>`
+* Django 2.0 :commit:`(patch <1f42f82566c9d2d73aff1c42790d6b1b243f7676>` and
+ :commit:`correction) <392e040647403fc8007708d52ce01d915b014849>`
+* Django 1.11 :commit:`(patch) <0bbb560183fabf0533289700845dafa94951f227>`
-September 9, 2011 - :cve:`2011-4140`
-------------------------------------
+January 4, 2019 - :cve:`2019-3498`
+----------------------------------
-Potential CSRF via ``Host`` header. `Full description
-`__
+Content spoofing possibility in the default 404 page. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-This notification was an advisory only, so no patches were issued.
-
-* Django 1.2
-* Django 1.3
+* Django 2.1 :commit:`(patch) <64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b>`
+* Django 2.0 :commit:`(patch) <9f4ed7c94c62e21644ef5115e393ac426b886f2e>`
+* Django 1.11 :commit:`(patch) <1cd00fcf52d089ef0fe03beabd05d59df8ea052a>`
-July 30, 2012 - :cve:`2012-3442`
---------------------------------
+October 1, 2018 - :cve:`2018-16984`
+-----------------------------------
-XSS via failure to validate redirect scheme. `Full description
-`__
+Password hash disclosure to "view only" admin users. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3: :commit:`(patch) <4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`
-* Django 1.4: :commit:`(patch) `
+* Django 2.1 :commit:`(patch) `
-July 30, 2012 - :cve:`2012-3443`
+August 1, 2018 - :cve:`2018-14574`
+----------------------------------
+
+Open redirect possibility in ``CommonMiddleware``. `Full description
+`__
+
+Versions affected
+~~~~~~~~~~~~~~~~~
+
+* Django 2.1 :commit:`(patch) `
+* Django 2.0 :commit:`(patch) <6fffc3c6d420e44f4029d5643f38d00a39b08525>`
+* Django 1.11 :commit:`(patch) `
+
+March 6, 2018 - :cve:`2018-7537`
--------------------------------
-Denial-of-service via compressed image files. `Full description
-`__
+Denial-of-service possibility in ``truncatechars_html`` and
+``truncatewords_html`` template filters. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3: :commit:`(patch) `
-* Django 1.4: :commit:`(patch) `
+* Django 2.0 :commit:`(patch) <94c5da1d17a6b0d378866c66b605102c19f7988c>`
+* Django 1.11 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) `
-July 30, 2012 - :cve:`2012-3444`
+March 6, 2018 - :cve:`2018-7536`
--------------------------------
-Denial-of-service via large image files. `Full description
-`__
+Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template
+filters. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) <9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`
-* Django 1.4 :commit:`(patch) `
+* Django 2.0 :commit:`(patch) `
+* Django 1.11 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <1ca63a66ef3163149ad822701273e8a1844192c2>`
-October 17, 2012 - :cve:`2012-4520`
+February 1, 2018 - :cve:`2018-6188`
-----------------------------------
-``Host`` header poisoning. `Full description
-`__
+Information leakage in ``AuthenticationForm``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) `
-* Django 1.4 :commit:`(patch) <92d3430f12171f16f566c9050c40feefb830a4a3>`
+* Django 2.0 :commit:`(patch) `
+* Django 1.11 :commit:`(patch) <57b95fedad5e0b83fc9c81466b7d1751c6427aae>`
-December 10, 2012 - No CVE 1
-----------------------------
+September 5, 2017 - :cve:`2017-12794`
+-------------------------------------
-Additional hardening of ``Host`` header handling. `Full description
-`__
+Possible XSS in traceback section of technical 500 debug page. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) <2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`
-* Django 1.4 :commit:`(patch) <319627c184e71ae267d6b7f000e293168c7b6e09>`
+* Django 1.11 :commit:`(patch) `
+* Django 1.10 :commit:`(patch) <58e08e80e362db79eb0fd775dc81faad90dca47a>`
-December 10, 2012 - No CVE 2
-----------------------------
+April 4, 2017 - :cve:`2017-7234`
+--------------------------------
-Additional hardening of redirect validation. `Full description
-`__
+Open redirect vulnerability in ``django.views.static.serve()``. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3: :commit:`(patch) <1515eb46daa0897ba5ad5f0a2db8969255f1b343>`
-* Django 1.4: :commit:`(patch) `
+* Django 1.10 :commit:`(patch) <2a9f6ef71b8e23fd267ee2be1be26dde8ab67037>`
+* Django 1.9 :commit:`(patch) <5f1ffb07afc1e59729ce2b283124116d6c0659e4>`
+* Django 1.8 :commit:`(patch) <4a6b945dffe8d10e7cec107d93e6efaebfbded29>`
-February 19, 2013 - No CVE
---------------------------
+April 4, 2017 - :cve:`2017-7233`
+--------------------------------
-Additional hardening of ``Host`` header handling. `Full description
-`__
+Open redirect and possible XSS attack via user-supplied numeric redirect URLs.
+`Full description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) <27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`
-* Django 1.4 :commit:`(patch) <9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`
+* Django 1.10 :commit:`(patch) `
+* Django 1.9 :commit:`(patch) <254326cb3682389f55f886804d2c43f7b9f23e4f>`
+* Django 1.8 :commit:`(patch) <8339277518c7d8ec280070a780915304654e3b66>`
-February 19, 2013 - :cve:`2013-1664` / :cve:`2013-1665`
--------------------------------------------------------
+November 1, 2016 - :cve:`2016-9014`
+-----------------------------------
-Entity-based attacks against Python XML libraries. `Full description
-`__
+DNS rebinding vulnerability when ``DEBUG=True``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) `
-* Django 1.4 :commit:`(patch) <1c60d07ba23e0350351c278ad28d0bd5aa410b40>`
+* Django 1.10 :commit:`(patch) <884e113838e5a72b4b0ec9e5e87aa480f6aa4472>`
+* Django 1.9 :commit:`(patch) <45acd6d836895a4c36575f48b3fb36a3dae98d19>`
+* Django 1.8 :commit:`(patch) `
-February 19, 2013 - :cve:`2013-0305`
-------------------------------------
+November 1, 2016 - :cve:`2016-9013`
+-----------------------------------
-Information leakage via admin history log. `Full description
-`__
+User with hardcoded password created when running tests on Oracle. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) `
-* Django 1.4 :commit:`(patch) <0e7861aec73702f7933ce2a93056f7983939f0d6>`
+* Django 1.10 :commit:`(patch) <34e10720d81b8d407aa14d763b6a7fe8f13b4f2e>`
+* Django 1.9 :commit:`(patch) <4844d86c7728c1a5a3bbce4ad336a8d32304072b>`
+* Django 1.8 :commit:`(patch) <70f99952965a430daf69eeb9947079aae535d2d0>`
-February 19, 2013 - :cve:`2013-0306`
-------------------------------------
+September 26, 2016 - :cve:`2016-7401`
+-------------------------------------
-Denial-of-service via formset ``max_num`` bypass. `Full description
-`__
+CSRF protection bypass on a site with Google Analytics. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.3 :commit:`(patch) `
-* Django 1.4 :commit:`(patch) <0cc350a896f70ace18280410eb616a9197d862b0>`
+* Django 1.9 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <6118ab7d0676f0d622278e5be215f14fb5410b6a>`
-August 13, 2013 - :cve:`2013-4249`
-----------------------------------
+July 18, 2016 - :cve:`2016-6186`
+--------------------------------
-XSS via admin trusting ``URLField`` values. `Full description
-`__
+XSS in admin's add/change related popup. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.5 :commit:`(patch) <90363e388c61874add3f3557ee654a996ec75d78>`
+* Django 1.9 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) `
-August 13, 2013 - :cve:`2013-6044`
-----------------------------------
+March 1, 2016 - :cve:`2016-2513`
+--------------------------------
-Possible XSS via unvalidated URL redirect schemes. `Full description
-`__
+User enumeration through timing difference on password hasher work factor
+upgrade. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) `
-* Django 1.5 :commit:`(patch) <1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`
+* Django 1.9 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) `
-September 10, 2013 - :cve:`2013-4315`
--------------------------------------
+March 1, 2016 - :cve:`2016-2512`
+--------------------------------
-Directory-traversal via ``ssi`` template tag. `Full description
-`__
+Malicious redirect and possible XSS attack via user-supplied redirect URLs
+containing basic auth. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <87d2750b39f6f2d54b7047225521a44dcd37e896>`
-* Django 1.5 :commit:`(patch) <988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`
+* Django 1.9 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <382ab137312961ad62feb8109d70a5a581fe8350>`
-September 14, 2013 - :cve:`2013-1443`
--------------------------------------
+February 1, 2016 - :cve:`2016-2048`
+-----------------------------------
-Denial-of-service via large passwords. `Full description
-`__
+User with "change" but not "add" permission can create objects for
+``ModelAdmin``’s with ``save_as=True``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch <3f3d887a6844ec2db743fee64c9e53e04d39a368>` and :commit:`Python compatibility fix) <6903d1690a92aa040adfb0c8eb37cf62e4206714>`
-* Django 1.5 :commit:`(patch) <22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`
+* Django 1.9 :commit:`(patch) `
-April 21, 2014 - :cve:`2014-0472`
----------------------------------
+November 24, 2015 - :cve:`2015-8213`
+------------------------------------
-Unexpected code execution using ``reverse()``. `Full description
-`__
+Settings leak possibility in ``date`` template filter. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) `
-* Django 1.5 :commit:`(patch) <2a5bcb69f42b84464b24b5c835dca6467b6aa7f1>`
-* Django 1.6 :commit:`(patch) <4352a50871e239ebcdf64eee6f0b88e714015c1b>`
-* Django 1.7 :commit:`(patch) <546740544d7f69254a67b06a3fc7fa0c43512958>`
+* Django 1.8 :commit:`(patch) <9f83fc2f66f5a0bac7c291aec55df66050bb6991>`
+* Django 1.7 :commit:`(patch) <8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`
-April 21, 2014 - :cve:`2014-0473`
----------------------------------
+August 18, 2015 - :cve:`2015-5963` / :cve:`2015-5964`
+-----------------------------------------------------
-Caching of anonymous pages could reveal CSRF token. `Full description
-`__
+Denial-of-service possibility in ``logout()`` view by filling session store.
+`Full description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <1170f285ddd6a94a65f911a27788ba49ca08c0b0>`
-* Django 1.5 :commit:`(patch) <6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8>`
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) <380545bf85cbf17fc698d136815b7691f8d023ca>`
+* Django 1.8 :commit:`(patch) <2eb86b01d7b59be06076f6179a454d0fd0afaff6>`
+* Django 1.7 :commit:`(patch) <2f5485346ee6f84b4e52068c04e043092daf55f7>`
+* Django 1.4 :commit:`(patch) <575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`
-April 21, 2014 - :cve:`2014-0474`
----------------------------------
+July 8, 2015 - :cve:`2015-5145`
+-------------------------------
-MySQL typecasting causes unexpected query results. `Full description
-`__
+Denial-of-service possibility in URL validation. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) `
-* Django 1.5 :commit:`(patch) <985434fb1d6bf2335bf96c6ebf91c3674f1f399f>`
-* Django 1.6 :commit:`(patch) <5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292>`
-* Django 1.7 :commit:`(patch) <34526c2f56b863c2103655a0893ac801667e86ea>`
+* Django 1.8 :commit:`(patch) <8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`
-May 18, 2014 - :cve:`2014-1418`
+July 8, 2015 - :cve:`2015-5144`
-------------------------------
-Caches may be allowed to store and serve private data. `Full description
-`__
+Header injection possibility since validators accept newlines in input. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <28e23306aa53bbbb8fb87db85f99d970b051026c>`
-* Django 1.5 :commit:`(patch) <4001ec8698f577b973c5a540801d8a0bbea1205b>`
-* Django 1.6 :commit:`(patch) <1abcf3a808b35abae5d425ed4d44cb6e886dc769>`
-* Django 1.7 :commit:`(patch) <7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a>`
+* Django 1.8 :commit:`(patch) <574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`
+* Django 1.7 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) <1ba1cdce7d58e6740fe51955d945b56ae51d072a>`
-May 18, 2014 - :cve:`2014-3730`
+July 8, 2015 - :cve:`2015-5143`
-------------------------------
-Malformed URLs from user input incorrectly validated. `Full description
-`__
+Denial-of-service possibility by filling session store. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <7feb54bbae3f637ab3c4dd4831d4385964f574df>`
-* Django 1.5 :commit:`(patch) `
-* Django 1.6 :commit:`(patch) <601107524523bca02376a0ddc1a06c6fdb8f22f3>`
-* Django 1.7 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <66d12d1ababa8f062857ee5eb43276493720bf16>`
+* Django 1.7 :commit:`(patch) <1828f4341ec53a8684112d24031b767eba557663>`
+* Django 1.4 :commit:`(patch) <2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`
-August 20, 2014 - :cve:`2014-0480`
-----------------------------------
+May 20, 2015 - :cve:`2015-3982`
+-------------------------------
-``reverse()`` can generate URLs pointing to other hosts. `Full description
-`__
+Fixed session flushing in the cached_db backend. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) `
-* Django 1.5 :commit:`(patch) <45ac9d4fb087d21902469fc22643f5201d41a0cd>`
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <31cb25adecba930bdeee4556709f5a1c42d88fd6>`
-August 20, 2014 - :cve:`2014-0481`
-----------------------------------
+March 18, 2015 - :cve:`2015-2317`
+---------------------------------
-File upload denial of service. `Full description
-`__
+Mitigated possible XSS attack via user-supplied redirect URLs. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <30042d475bf084c6723c6217a21598d9247a9c41>`
-* Django 1.5 :commit:`(patch) <26cd48e166ac4d84317c8ee6d63ac52a87e8da99>`
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) <3123f8452cf49071be9110e277eea60ba0032216>`
+* Django 1.4 :commit:`(patch) <2342693b31f740a422abf7267c53b4e7bc487c1b>`
+* Django 1.6 :commit:`(patch) <5510f070711540aaa8d3707776cd77494e688ef9>`
+* Django 1.7 :commit:`(patch) <2a4113dbd532ce952308992633d802dc169a75f1>`
+* Django 1.8 :commit:`(patch) <770427c2896a078925abfca2317486b284d22f04>`
-August 20, 2014 - :cve:`2014-0482`
-----------------------------------
+March 18, 2015 - :cve:`2015-2316`
+---------------------------------
-``RemoteUserMiddleware`` session hijacking. `Full description
-`__
+Denial-of-service possibility with ``strip_tags()``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) `
-* Django 1.5 :commit:`(patch) `
-* Django 1.6 :commit:`(patch) <0268b855f9eab3377f2821164ef3e66037789e09>`
-* Django 1.7 :commit:`(patch) <1a45d059c70385fcd6f4a3955f3b4e4cc96d0150>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`
-August 20, 2014 - :cve:`2014-0483`
-----------------------------------
+March 9, 2015 - :cve:`2015-2241`
+--------------------------------
-Data leakage via querystring manipulation in admin.
-`Full description `__
+XSS attack via properties in ``ModelAdmin.readonly_fields``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <027bd348642007617518379f8b02546abacaa6e0>`
-* Django 1.5 :commit:`(patch) <2a446c896e7c814661fb9c4f212b071b2a7fa446>`
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) <2b31342cdf14fc20e07c43d258f1e7334ad664a6>`
+* Django 1.7 :commit:`(patch) `
+* Django 1.8 :commit:`(patch) <2654e1b93923bac55f12b4e66c5e39b16695ace5>`
-January 13, 2015 - :cve:`2015-0219`
+January 13, 2015 - :cve:`2015-0222`
-----------------------------------
-WSGI header spoofing via underscore/dash conflation. `Full description
+Database denial-of-service with ``ModelMultipleChoiceField``. `Full description
`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <4f6fffc1dc429f1ad428ecf8e6620739e8837450>`
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) <41b4bc73ee0da7b2e09f4af47fc1fd21144c710f>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) `
-January 13, 2015 - :cve:`2015-0220`
+January 13, 2015 - :cve:`2015-0221`
-----------------------------------
-Mitigated possible XSS attack via user-supplied redirect URLs. `Full
+Denial-of-service attack against ``django.views.static.serve()``. `Full
description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <4c241f1b710da6419d9dca160e80b23b82db7758>`
-* Django 1.6 :commit:`(patch) <72e0b033662faa11bb7f516f18a132728aa0ae28>`
-* Django 1.7 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) `
+* Django 1.6 :commit:`(patch) <553779c4055e8742cc832ed525b9ee34b174934f>`
+* Django 1.7 :commit:`(patch) <818e59a3f0fbadf6c447754d202d88df025f8f2a>`
-January 13, 2015 - :cve:`2015-0221`
+January 13, 2015 - :cve:`2015-0220`
-----------------------------------
-Denial-of-service attack against ``django.views.static.serve()``. `Full
+Mitigated possible XSS attack via user-supplied redirect URLs. `Full
description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) `
-* Django 1.6 :commit:`(patch) <553779c4055e8742cc832ed525b9ee34b174934f>`
-* Django 1.7 :commit:`(patch) <818e59a3f0fbadf6c447754d202d88df025f8f2a>`
+* Django 1.4 :commit:`(patch) <4c241f1b710da6419d9dca160e80b23b82db7758>`
+* Django 1.6 :commit:`(patch) <72e0b033662faa11bb7f516f18a132728aa0ae28>`
+* Django 1.7 :commit:`(patch) `
-January 13, 2015 - :cve:`2015-0222`
+January 13, 2015 - :cve:`2015-0219`
-----------------------------------
-Database denial-of-service with ``ModelMultipleChoiceField``. `Full description
+WSGI header spoofing via underscore/dash conflation. `Full description
`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) <4f6fffc1dc429f1ad428ecf8e6620739e8837450>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) <41b4bc73ee0da7b2e09f4af47fc1fd21144c710f>`
-March 9, 2015 - :cve:`2015-2241`
---------------------------------
+August 20, 2014 - :cve:`2014-0483`
+----------------------------------
-XSS attack via properties in ``ModelAdmin.readonly_fields``. `Full description
-`__
+Data leakage via querystring manipulation in admin.
+`Full description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.7 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) <2654e1b93923bac55f12b4e66c5e39b16695ace5>`
+* Django 1.4 :commit:`(patch) <027bd348642007617518379f8b02546abacaa6e0>`
+* Django 1.5 :commit:`(patch) <2a446c896e7c814661fb9c4f212b071b2a7fa446>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) <2b31342cdf14fc20e07c43d258f1e7334ad664a6>`
-March 18, 2015 - :cve:`2015-2316`
----------------------------------
+August 20, 2014 - :cve:`2014-0482`
+----------------------------------
-Denial-of-service possibility with ``strip_tags()``. `Full description
-`__
+``RemoteUserMiddleware`` session hijacking. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.6 :commit:`(patch) `
-* Django 1.7 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) <5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`
+* Django 1.4 :commit:`(patch) `
+* Django 1.5 :commit:`(patch) `
+* Django 1.6 :commit:`(patch) <0268b855f9eab3377f2821164ef3e66037789e09>`
+* Django 1.7 :commit:`(patch) <1a45d059c70385fcd6f4a3955f3b4e4cc96d0150>`
-March 18, 2015 - :cve:`2015-2317`
----------------------------------
+August 20, 2014 - :cve:`2014-0481`
+----------------------------------
-Mitigated possible XSS attack via user-supplied redirect URLs. `Full
-description `__
+File upload denial of service. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.4 :commit:`(patch) <2342693b31f740a422abf7267c53b4e7bc487c1b>`
-* Django 1.6 :commit:`(patch) <5510f070711540aaa8d3707776cd77494e688ef9>`
-* Django 1.7 :commit:`(patch) <2a4113dbd532ce952308992633d802dc169a75f1>`
-* Django 1.8 :commit:`(patch) <770427c2896a078925abfca2317486b284d22f04>`
+* Django 1.4 :commit:`(patch) <30042d475bf084c6723c6217a21598d9247a9c41>`
+* Django 1.5 :commit:`(patch) <26cd48e166ac4d84317c8ee6d63ac52a87e8da99>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) <3123f8452cf49071be9110e277eea60ba0032216>`
-May 20, 2015 - :cve:`2015-3982`
--------------------------------
+August 20, 2014 - :cve:`2014-0480`
+----------------------------------
-Fixed session flushing in the cached_db backend. `Full description
-`__
+``reverse()`` can generate URLs pointing to other hosts. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.8 :commit:`(patch) <31cb25adecba930bdeee4556709f5a1c42d88fd6>`
+* Django 1.4 :commit:`(patch) `
+* Django 1.5 :commit:`(patch) <45ac9d4fb087d21902469fc22643f5201d41a0cd>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) `
-July 8, 2015 - :cve:`2015-5143`
+May 18, 2014 - :cve:`2014-3730`
-------------------------------
-Denial-of-service possibility by filling session store. `Full
-description `__
+Malformed URLs from user input incorrectly validated. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.8 :commit:`(patch) <66d12d1ababa8f062857ee5eb43276493720bf16>`
-* Django 1.7 :commit:`(patch) <1828f4341ec53a8684112d24031b767eba557663>`
-* Django 1.4 :commit:`(patch) <2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`
+* Django 1.4 :commit:`(patch) <7feb54bbae3f637ab3c4dd4831d4385964f574df>`
+* Django 1.5 :commit:`(patch) `
+* Django 1.6 :commit:`(patch) <601107524523bca02376a0ddc1a06c6fdb8f22f3>`
+* Django 1.7 :commit:`(patch) `
-July 8, 2015 - :cve:`2015-5144`
+May 18, 2014 - :cve:`2014-1418`
-------------------------------
-Header injection possibility since validators accept newlines in input. `Full
-description `__
+Caches may be allowed to store and serve private data. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.8 :commit:`(patch) <574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`
-* Django 1.7 :commit:`(patch) `
-* Django 1.4 :commit:`(patch) <1ba1cdce7d58e6740fe51955d945b56ae51d072a>`
+* Django 1.4 :commit:`(patch) <28e23306aa53bbbb8fb87db85f99d970b051026c>`
+* Django 1.5 :commit:`(patch) <4001ec8698f577b973c5a540801d8a0bbea1205b>`
+* Django 1.6 :commit:`(patch) <1abcf3a808b35abae5d425ed4d44cb6e886dc769>`
+* Django 1.7 :commit:`(patch) <7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a>`
-July 8, 2015 - :cve:`2015-5145`
--------------------------------
+April 21, 2014 - :cve:`2014-0474`
+---------------------------------
-Denial-of-service possibility in URL validation. `Full description
-`__
+MySQL typecasting causes unexpected query results. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.8 :commit:`(patch) <8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`
+* Django 1.4 :commit:`(patch) `
+* Django 1.5 :commit:`(patch) <985434fb1d6bf2335bf96c6ebf91c3674f1f399f>`
+* Django 1.6 :commit:`(patch) <5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292>`
+* Django 1.7 :commit:`(patch) <34526c2f56b863c2103655a0893ac801667e86ea>`
-August 18, 2015 - :cve:`2015-5963` / :cve:`2015-5964`
------------------------------------------------------
+April 21, 2014 - :cve:`2014-0473`
+---------------------------------
-Denial-of-service possibility in ``logout()`` view by filling session store.
-`Full description `__
+Caching of anonymous pages could reveal CSRF token. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.8 :commit:`(patch) <2eb86b01d7b59be06076f6179a454d0fd0afaff6>`
-* Django 1.7 :commit:`(patch) <2f5485346ee6f84b4e52068c04e043092daf55f7>`
-* Django 1.4 :commit:`(patch) <575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`
+* Django 1.4 :commit:`(patch) <1170f285ddd6a94a65f911a27788ba49ca08c0b0>`
+* Django 1.5 :commit:`(patch) <6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8>`
+* Django 1.6 :commit:`(patch) `
+* Django 1.7 :commit:`(patch) <380545bf85cbf17fc698d136815b7691f8d023ca>`
-November 24, 2015 - :cve:`2015-8213`
-------------------------------------
+April 21, 2014 - :cve:`2014-0472`
+---------------------------------
-Settings leak possibility in ``date`` template filter. `Full description
-`__
+Unexpected code execution using ``reverse()``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.8 :commit:`(patch) <9f83fc2f66f5a0bac7c291aec55df66050bb6991>`
-* Django 1.7 :commit:`(patch) <8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`
+* Django 1.4 :commit:`(patch) `
+* Django 1.5 :commit:`(patch) <2a5bcb69f42b84464b24b5c835dca6467b6aa7f1>`
+* Django 1.6 :commit:`(patch) <4352a50871e239ebcdf64eee6f0b88e714015c1b>`
+* Django 1.7 :commit:`(patch) <546740544d7f69254a67b06a3fc7fa0c43512958>`
-February 1, 2016 - :cve:`2016-2048`
------------------------------------
+September 14, 2013 - :cve:`2013-1443`
+-------------------------------------
-User with "change" but not "add" permission can create objects for
-``ModelAdmin``’s with ``save_as=True``. `Full description
-`__
+Denial-of-service via large passwords. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.9 :commit:`(patch) `
+* Django 1.4 :commit:`(patch <3f3d887a6844ec2db743fee64c9e53e04d39a368>` and :commit:`Python compatibility fix) <6903d1690a92aa040adfb0c8eb37cf62e4206714>`
+* Django 1.5 :commit:`(patch) <22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`
-March 1, 2016 - :cve:`2016-2512`
---------------------------------
+September 10, 2013 - :cve:`2013-4315`
+-------------------------------------
-Malicious redirect and possible XSS attack via user-supplied redirect URLs
-containing basic auth. `Full description
-`__
+Directory-traversal via ``ssi`` template tag. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.9 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) <382ab137312961ad62feb8109d70a5a581fe8350>`
+* Django 1.4 :commit:`(patch) <87d2750b39f6f2d54b7047225521a44dcd37e896>`
+* Django 1.5 :commit:`(patch) <988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`
-March 1, 2016 - :cve:`2016-2513`
---------------------------------
+August 13, 2013 - :cve:`2013-6044`
+----------------------------------
-User enumeration through timing difference on password hasher work factor
-upgrade. `Full description
-`__
+Possible XSS via unvalidated URL redirect schemes. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.9 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) `
+* Django 1.5 :commit:`(patch) <1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`
-July 18, 2016 - :cve:`2016-6186`
---------------------------------
+August 13, 2013 - :cve:`2013-4249`
+----------------------------------
-XSS in admin's add/change related popup. `Full description
-`__
+XSS via admin trusting ``URLField`` values. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.9 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) `
+* Django 1.5 :commit:`(patch) <90363e388c61874add3f3557ee654a996ec75d78>`
-September 26, 2016 - :cve:`2016-7401`
--------------------------------------
+February 19, 2013 - :cve:`2013-0306`
+------------------------------------
-CSRF protection bypass on a site with Google Analytics. `Full description
-`__
+Denial-of-service via formset ``max_num`` bypass. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.9 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) <6118ab7d0676f0d622278e5be215f14fb5410b6a>`
+* Django 1.3 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) <0cc350a896f70ace18280410eb616a9197d862b0>`
-November 1, 2016 - :cve:`2016-9013`
------------------------------------
+February 19, 2013 - :cve:`2013-0305`
+------------------------------------
-User with hardcoded password created when running tests on Oracle. `Full
-description `__
+Information leakage via admin history log. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.10 :commit:`(patch) <34e10720d81b8d407aa14d763b6a7fe8f13b4f2e>`
-* Django 1.9 :commit:`(patch) <4844d86c7728c1a5a3bbce4ad336a8d32304072b>`
-* Django 1.8 :commit:`(patch) <70f99952965a430daf69eeb9947079aae535d2d0>`
+* Django 1.3 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) <0e7861aec73702f7933ce2a93056f7983939f0d6>`
-November 1, 2016 - :cve:`2016-9014`
------------------------------------
+February 19, 2013 - :cve:`2013-1664` / :cve:`2013-1665`
+-------------------------------------------------------
-DNS rebinding vulnerability when ``DEBUG=True``. `Full description
-`__
+Entity-based attacks against Python XML libraries. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.10 :commit:`(patch) <884e113838e5a72b4b0ec9e5e87aa480f6aa4472>`
-* Django 1.9 :commit:`(patch) <45acd6d836895a4c36575f48b3fb36a3dae98d19>`
-* Django 1.8 :commit:`(patch) `
+* Django 1.3 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) <1c60d07ba23e0350351c278ad28d0bd5aa410b40>`
-April 4, 2017 - :cve:`2017-7233`
---------------------------------
+February 19, 2013 - No CVE
+--------------------------
-Open redirect and possible XSS attack via user-supplied numeric redirect URLs.
-`Full description `__
+Additional hardening of ``Host`` header handling. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.10 :commit:`(patch) `
-* Django 1.9 :commit:`(patch) <254326cb3682389f55f886804d2c43f7b9f23e4f>`
-* Django 1.8 :commit:`(patch) <8339277518c7d8ec280070a780915304654e3b66>`
+* Django 1.3 :commit:`(patch) <27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`
+* Django 1.4 :commit:`(patch) <9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`
-April 4, 2017 - :cve:`2017-7234`
---------------------------------
+December 10, 2012 - No CVE 2
+----------------------------
-Open redirect vulnerability in ``django.views.static.serve()``. `Full
-description `__
+Additional hardening of redirect validation. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.10 :commit:`(patch) <2a9f6ef71b8e23fd267ee2be1be26dde8ab67037>`
-* Django 1.9 :commit:`(patch) <5f1ffb07afc1e59729ce2b283124116d6c0659e4>`
-* Django 1.8 :commit:`(patch) <4a6b945dffe8d10e7cec107d93e6efaebfbded29>`
+* Django 1.3: :commit:`(patch) <1515eb46daa0897ba5ad5f0a2db8969255f1b343>`
+* Django 1.4: :commit:`(patch) `
-September 5, 2017 - :cve:`2017-12794`
--------------------------------------
+December 10, 2012 - No CVE 1
+----------------------------
-Possible XSS in traceback section of technical 500 debug page. `Full
-description `__
+Additional hardening of ``Host`` header handling. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 1.11 :commit:`(patch) `
-* Django 1.10 :commit:`(patch) <58e08e80e362db79eb0fd775dc81faad90dca47a>`
+* Django 1.3 :commit:`(patch) <2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`
+* Django 1.4 :commit:`(patch) <319627c184e71ae267d6b7f000e293168c7b6e09>`
-February 1, 2018 - :cve:`2018-6188`
+October 17, 2012 - :cve:`2012-4520`
-----------------------------------
-Information leakage in ``AuthenticationForm``. `Full description
-`__
+``Host`` header poisoning. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.0 :commit:`(patch) `
-* Django 1.11 :commit:`(patch) <57b95fedad5e0b83fc9c81466b7d1751c6427aae>`
+* Django 1.3 :commit:`(patch) `
+* Django 1.4 :commit:`(patch) <92d3430f12171f16f566c9050c40feefb830a4a3>`
-March 6, 2018 - :cve:`2018-7536`
+July 30, 2012 - :cve:`2012-3444`
--------------------------------
-Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template
-filters. `Full description
-`__
+Denial-of-service via large image files. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.0 :commit:`(patch) `
-* Django 1.11 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) <1ca63a66ef3163149ad822701273e8a1844192c2>`
+* Django 1.3 :commit:`(patch) <9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`
+* Django 1.4 :commit:`(patch) `
-March 6, 2018 - :cve:`2018-7537`
+July 30, 2012 - :cve:`2012-3443`
--------------------------------
-Denial-of-service possibility in ``truncatechars_html`` and
-``truncatewords_html`` template filters. `Full description
-`__
+Denial-of-service via compressed image files. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.0 :commit:`(patch) <94c5da1d17a6b0d378866c66b605102c19f7988c>`
-* Django 1.11 :commit:`(patch) `
-* Django 1.8 :commit:`(patch) `
+* Django 1.3: :commit:`(patch) `
+* Django 1.4: :commit:`(patch) `
-August 1, 2018 - :cve:`2018-14574`
-----------------------------------
+July 30, 2012 - :cve:`2012-3442`
+--------------------------------
-Open redirect possibility in ``CommonMiddleware``. `Full description
-`__
+XSS via failure to validate redirect scheme. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.1 :commit:`(patch) `
-* Django 2.0 :commit:`(patch) <6fffc3c6d420e44f4029d5643f38d00a39b08525>`
-* Django 1.11 :commit:`(patch) `
+* Django 1.3: :commit:`(patch) <4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`
+* Django 1.4: :commit:`(patch) `
-October 1, 2018 - :cve:`2018-16984`
------------------------------------
+September 9, 2011 - :cve:`2011-4140`
+------------------------------------
-Password hash disclosure to "view only" admin users. `Full description
-`__
+Potential CSRF via ``Host`` header. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.1 :commit:`(patch) `
-
-January 4, 2019 - :cve:`2019-3498`
-----------------------------------
-
-Content spoofing possibility in the default 404 page. `Full description
-`__
-
-Versions affected
-~~~~~~~~~~~~~~~~~
+This notification was an advisory only, so no patches were issued.
-* Django 2.1 :commit:`(patch) <64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b>`
-* Django 2.0 :commit:`(patch) <9f4ed7c94c62e21644ef5115e393ac426b886f2e>`
-* Django 1.11 :commit:`(patch) <1cd00fcf52d089ef0fe03beabd05d59df8ea052a>`
+* Django 1.2
+* Django 1.3
-February 11, 2019 - :cve:`2019-6975`
+September 9, 2011 - :cve:`2011-4139`
------------------------------------
-Memory exhaustion in ``django.utils.numberformat.format()``. `Full description
-`__
+``Host`` header cache poisoning. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.1 :commit:`(patch) <40cd19055773705301c3428ed5e08a036d2091f3>`
-* Django 2.0 :commit:`(patch <1f42f82566c9d2d73aff1c42790d6b1b243f7676>` and
- :commit:`correction) <392e040647403fc8007708d52ce01d915b014849>`
-* Django 1.11 :commit:`(patch) <0bbb560183fabf0533289700845dafa94951f227>`
+* Django 1.2 :commit:`(patch) `
+* Django 1.3 :commit:`(patch) <2f7fadc38e>`
-June 3, 2019 - :cve:`2019-11358`
---------------------------------
+September 9, 2011 - :cve:`2011-4138`
+------------------------------------
-Prototype pollution in bundled jQuery. `Full description
-`__
+Information leakage/arbitrary request issuance via ``URLField.verify_exists``.
+`Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) `
-* Django 2.1 :commit:`(patch) <95649bc08547a878cebfa1d019edec8cb1b80829>`
+* Django 1.2: :commit:`(patch) <7268f8af86>`
+* Django 1.3: :commit:`(patch) <1a76dbefdf>`
-June 3, 2019 - :cve:`2019-12308`
---------------------------------
+September 9, 2011 - :cve:`2011-4137`
+------------------------------------
-XSS via "Current URL" link generated by ``AdminURLFieldWidget``. `Full
-description `__
+Denial-of-service via ``URLField.verify_exists``. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) `
-* Django 2.1 :commit:`(patch) <09186a13d975de6d049f8b3e05484f66b01ece62>`
-* Django 1.11 :commit:`(patch) `
+* Django 1.2 :commit:`(patch) <7268f8af86>`
+* Django 1.3 :commit:`(patch) <1a76dbefdf>`
-July 1, 2019 - :cve:`2019-12781`
---------------------------------
+September 9, 2011 - :cve:`2011-4136`
+------------------------------------
-Incorrect HTTP detection with reverse-proxy connecting via HTTPS. `Full
-description `__
+Session manipulation when using memory-cache-backed session. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) <77706a3e4766da5d5fb75c4db22a0a59a28e6cd6>`
-* Django 2.1 :commit:`(patch) <1e40f427bb8d0fb37cc9f830096a97c36c97af6f>`
-* Django 1.11 :commit:`(patch) <32124fc41e75074141b05f10fc55a4f01ff7f050>`
+* Django 1.2 :commit:`(patch) `
+* Django 1.3 :commit:`(patch) `
-August 1, 2019 - :cve:`2019-14232`
-----------------------------------
+February 8, 2011 - :cve:`2011-0698`
+-----------------------------------
-Denial-of-service possibility in ``django.utils.text.Truncator``. `Full
-description `__
+Directory-traversal on Windows via incorrect path-separator handling. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) `
-* Django 2.1 :commit:`(patch) `
-* Django 1.11 :commit:`(patch) <42a66e969023c00536256469f0e8b8a099ef109d>`
+* Django 1.1 :commit:`(patch) <570a32a047>`
+* Django 1.2 :commit:`(patch) <194566480b>`
-August 1, 2019 - :cve:`2019-14233`
-----------------------------------
+February 8, 2011 - :cve:`2011-0697`
+-----------------------------------
-Denial-of-service possibility in ``strip_tags()``. `Full description
-`__
+XSS via unsanitized names of uploaded files. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) `
-* Django 2.1 :commit:`(patch) <5ff8e791148bd451180124d76a55cb2b2b9556eb>`
-* Django 1.11 :commit:`(patch) <52479acce792ad80bb0f915f20b835f919993c72>`
-
+* Django 1.1 :commit:`(patch) <1966786d2d>`
+* Django 1.2 :commit:`(patch) <1f814a9547>`
-August 1, 2019 - :cve:`2019-14234`
-----------------------------------
+February 8, 2011 - :cve:`2011-0696`
+-----------------------------------
-SQL injection possibility in key and index lookups for
-``JSONField``/``HStoreField``. `Full description
-`__
+CSRF via forged HTTP headers. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) <4f5b58f5cd3c57fee9972ab074f8dc6895d8f387>`
-* Django 2.1 :commit:`(patch) `
-* Django 1.11 :commit:`(patch) `
+* Django 1.1 :commit:`(patch) <408c5c873c>`
+* Django 1.2 :commit:`(patch) <818e70344e>`
-August 1, 2019 - :cve:`2019-14235`
-----------------------------------
+December 22, 2010 - :cve:`2010-4535`
+------------------------------------
-Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``. `Full
-description
-`__
+Denial-of-service in password-reset mechanism. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 2.2 :commit:`(patch) `
-* Django 2.1 :commit:`(patch) <5d50a2e5fa36ad23ab532fc54cf4073de84b3306>`
-* Django 1.11 :commit:`(patch) <869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>`
+* Django 1.1 :commit:`(patch) <7f8dd9cbac>`
+* Django 1.2 :commit:`(patch) `
-December 2, 2019 - :cve:`2019-19118`
+December 22, 2010 - :cve:`2010-4534`
------------------------------------
-Privilege escalation in the Django admin. `Full description
-`__
+Information leakage in administrative interface. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.0 :commit:`(patch) <092cd66cf3c3e175acce698d6ca2012068d878fa>`
-* Django 2.2 :commit:`(patch) <36f580a17f0b3cb087deadf3b65eea024f479c21>`
-* Django 2.1 :commit:`(patch) <103ebe2b5ff1b2614b85a52c239f471904d26244>`
+* Django 1.1 :commit:`(patch) <17084839fd>`
+* Django 1.2 :commit:`(patch) <85207a245b>`
-December 18, 2019 - :cve:`2019-19844`
--------------------------------------
+September 8, 2010 - :cve:`2010-3082`
+------------------------------------
-Potential account hijack via password reset form. `Full description
-`__
+XSS via trusting unsafe cookie value. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.0 :commit:`(patch) <302a4ff1e8b1c798aab97673909c7a3dfda42c26>`
-* Django 2.2 :commit:`(patch) <4d334bea06cac63dc1272abcec545b85136cca0e>`
-* Django 1.11 :commit:`(patch) `
+* Django 1.2 :commit:`(patch) <7f84657b6b>`
-February 3, 2020 - :cve:`2020-7471`
------------------------------------
+October 9, 2009 - :cve:`2009-3965`
+----------------------------------
-Potential SQL injection via ``StringAgg(delimiter)``. `Full description
-`__
+Denial-of-service via pathological regular expression performance. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.0 :commit:`(patch) <505826b469b16ab36693360da9e11fd13213421b>`
-* Django 2.2 :commit:`(patch) `
-* Django 1.11 :commit:`(patch) <001b0634cd309e372edb6d7d95d083d02b8e37bd>`
+* Django 1.0 :commit:`(patch) <594a28a904>`
+* Django 1.1 :commit:`(patch) `
-March 4, 2020 - :cve:`2020-9402`
+July 28, 2009 - :cve:`2009-2659`
--------------------------------
-Potential SQL injection via ``tolerance`` parameter in GIS functions and
-aggregates on Oracle. `Full description
-`__
+Directory-traversal in development server media handler. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.0 :commit:`(patch) <26a5cf834526e291db00385dd33d319b8271fc4c>`
-* Django 2.2 :commit:`(patch) `
-* Django 1.11 :commit:`(patch) <02d97f3c9a88adc890047996e5606180bd1c6166>`
+* Django 0.96 :commit:`(patch) `
+* Django 1.0 :commit:`(patch) `
-June 3, 2020 - :cve:`2020-13254`
---------------------------------
+September 2, 2008 - :cve:`2008-3909`
+------------------------------------
-Potential data leakage via malformed memcached keys. `Full description
-`__
+CSRF via preservation of POST data during admin login. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.0 :commit:`(patch) <84b2da5552e100ae3294f564f6c862fef8d0e693>`
-* Django 2.2 :commit:`(patch) <07e59caa02831c4569bbebb9eb773bdd9cb4b206>`
+* Django 0.91 :commit:`(patch) <44debfeaa4473bd28872c735dd3d9afde6886752>`
+* Django 0.95 :commit:`(patch) `
+* Django 0.96 :commit:`(patch) <7e0972bded362bc4b851c109df2c8a6548481a8e>`
-June 3, 2020 - :cve:`2020-13596`
---------------------------------
+May 14, 2008 - :cve:`2008-2302`
+-------------------------------
-Possible XSS via admin ``ForeignKeyRawIdWidget``. `Full description
-`__
+XSS via admin login redirect. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.0 :commit:`(patch) <1f2dd37f6fcefdd10ed44cb233b2e62b520afb38>`
-* Django 2.2 :commit:`(patch) <6d61860b22875f358fac83d903dc629897934815>`
+* Django 0.91 :commit:`(patch) <50ce7fb57d>`
+* Django 0.95 :commit:`(patch) <50ce7fb57d>`
+* Django 0.96 :commit:`(patch) <7791e5c050>`
-September 1, 2020 - :cve:`2020-24583`
--------------------------------------
+October 26, 2007 - :cve:`2007-5712`
+-----------------------------------
-Incorrect permissions on intermediate-level directories on Python 3.7+. `Full
-description
-`__
+Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full
+description `__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.1 :commit:`(patch) <934430d22aa5d90c2ba33495ff69a6a1d997d584>`
-* Django 3.0 :commit:`(patch) <08892bffd275c79ee1f8f67639eb170aaaf1181e>`
-* Django 2.2 :commit:`(patch) <375657a71c889c588f723469bd868bd1d40c369f>`
+* Django 0.91 :commit:`(patch) <8bc36e726c9e8c75c681d3ad232df8e882aaac81>`
+* Django 0.95 :commit:`(patch) <412ed22502e11c50dbfee854627594f0e7e2c234>`
+* Django 0.96 :commit:`(patch) <7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`
-September 1, 2020 - :cve:`2020-24584`
--------------------------------------
+Issues prior to Django's security process
+=========================================
-Permission escalation in intermediate-level directories of the file system
-cache on Python 3.7+. `Full description
-`__
+Some security issues were handled before Django had a formalized
+security process in use. For these, new releases may not have been
+issued at the time and CVEs may not have been assigned.
+
+January 21, 2007 - :cve:`2007-0405`
+-----------------------------------
+
+Apparent "caching" of authenticated user. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.1 :commit:`(patch) <2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b>`
-* Django 3.0 :commit:`(patch) `
-* Django 2.2 :commit:`(patch) `
+* Django 0.95 :commit:`(patch) `
-February 1, 2021 - :cve:`2021-3281`
------------------------------------
+August 16, 2006 - :cve:`2007-0404`
+----------------------------------
-Potential directory-traversal via ``archive.extract()``. `Full description
-`__
+Filename validation issue in translation framework. `Full description
+`__
Versions affected
~~~~~~~~~~~~~~~~~
-* Django 3.1 :commit:`(patch) <02e6592835b4559909aa3aaaf67988fef435f624>`
-* Django 3.0 :commit:`(patch) <52e409ed17287e9aabda847b6afe58be2fa9f86a>`
-* Django 2.2 :commit:`(patch) <21e7622dec1f8612c85c2fc37fe8efbfd3311e37>`
+* Django 0.90 :commit:`(patch) <518d406e53>`
+* Django 0.91 :commit:`(patch) <518d406e53>`
+* Django 0.95 :commit:`(patch) ` (released January 21 2007)