Django-1.2.2.tar.gz: 32 vulnerabilities (highest severity is: 9.8) #2
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
1 task
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Publish Date: 2022-07-04
URL: CVE-2022-34265
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Release Date: 2022-07-04
Fix Resolution: Django - 3.2.14,4.0.6
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Publish Date: 2019-12-18
URL: CVE-2019-19844
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
Release Date: 2019-12-18
Fix Resolution: 1.11.27
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Publish Date: 2014-04-23
URL: CVE-2014-0474
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474
Release Date: 2014-04-23
Fix Resolution: 1.4.11
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Publish Date: 2015-07-14
URL: CVE-2015-5143
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Release Date: 2015-07-14
Fix Resolution: 1.4.21
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
Publish Date: 2014-08-26
URL: CVE-2014-0480
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
Publish Date: 2011-10-19
URL: CVE-2011-4140
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Release Date: 2011-10-19
Fix Resolution: 1.2.7
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Publish Date: 2016-04-08
URL: CVE-2016-2512
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2512
Release Date: 2016-04-08
Fix Resolution: 1.8.10,1.9.3
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Publish Date: 2021-12-07
URL: CVE-2021-44420
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-12-07
Fix Resolution: Django - 2.2.25,3.1.14,3.2.10
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
Publish Date: 2011-02-14
URL: CVE-2011-0698
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0698
Release Date: 2011-02-14
Fix Resolution: 1.2.5
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Publish Date: 2016-08-05
URL: CVE-2016-6186
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186
Release Date: 2016-08-05
Fix Resolution: 1.8.14,1.9.8,1.10rc1
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Publish Date: 2014-04-23
URL: CVE-2014-0472
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472
Release Date: 2014-04-23
Fix Resolution: 1.4.11
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
Publish Date: 2011-02-14
URL: CVE-2011-0696
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2011/feb/08/security/
Release Date: 2011-02-14
Fix Resolution: 1.2.5
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Publish Date: 2015-01-16
URL: CVE-2015-0221
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0221
Release Date: 2015-01-16
Fix Resolution: 1.4.18
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Publish Date: 2015-01-16
URL: CVE-2015-0219
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0219
Release Date: 2015-01-16
Fix Resolution: 1.4.18,1.6.10,1.7.3
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
Publish Date: 2014-04-23
URL: CVE-2014-0473
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473
Release Date: 2014-04-23
Fix Resolution: 1.4.11
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
Publish Date: 2012-07-31
URL: CVE-2012-3444
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3444
Release Date: 2012-07-31
Fix Resolution: 1.3.3
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Publish Date: 2012-07-31
URL: CVE-2012-3443
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3443
Release Date: 2012-07-31
Fix Resolution: 1.4.1
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
Publish Date: 2011-10-19
URL: CVE-2011-4139
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4139
Release Date: 2011-10-19
Fix Resolution: 1.2.7
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
Publish Date: 2011-10-19
URL: CVE-2011-4138
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4138
Release Date: 2011-10-19
Fix Resolution: 1.2.7
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
Publish Date: 2011-10-19
URL: CVE-2011-4137
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4137
Release Date: 2011-10-19
Fix Resolution: 1.2.7
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
Publish Date: 2011-01-10
URL: CVE-2010-4535
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4535
Release Date: 2011-01-10
Fix Resolution: 1.2.4
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Publish Date: 2014-08-26
URL: CVE-2014-0482
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Publish Date: 2011-10-19
URL: CVE-2011-4136
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Release Date: 2011-10-19
Fix Resolution: 1.2.7
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
Publish Date: 2011-01-10
URL: CVE-2010-4534
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2010/dec/22/security/
Release Date: 2011-01-10
Fix Resolution: 1.2.4
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Publish Date: 2015-07-14
URL: CVE-2015-5144
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5144
Release Date: 2015-07-14
Fix Resolution: 1.4.21
Vulnerable Library - Django-1.2.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz
Dependency Hierarchy:
Found in HEAD commit: 54ff55ba48d1ca183fe16ba275e4ac26c38b3488
Found in base branch: main
Vulnerability Details
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
Publish Date: 2015-03-25
URL: CVE-2015-2317
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-2317
Release Date: 2015-03-25
Fix Resolution: 1.4.20,1.6.11,1.7.7,1.8c1
The text was updated successfully, but these errors were encountered: