Arsip dari masalah keamanan¶

April 2, 2025 - CVE 2025-27556¶

Potential denial-of-service vulnerability in LoginView, LogoutView, and set_language() on Windows. Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

March 6, 2025 - CVE 2025-26699¶

Potential denial-of-service in django.utils.text.wrap(). Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

• Django 4.2 (patch)

January 14, 2025 - CVE 2024-56374¶

Potential denial-of-service vulnerability in IPv6 validation. Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

• Django 4.2 (patch)

December 4, 2024 - CVE 2024-53907¶

Potential denial-of-service in django.utils.html.strip_tags(). Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

• Django 4.2 (patch)

December 4, 2024 - CVE 2024-53908¶

Potential SQL injection in HasKey(lhs, rhs) on Oracle. Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

• Django 4.2 (patch)

September 3, 2024 - CVE 2024-45231¶

Potential user email enumeration via response status on password reset. Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

• Django 4.2 (patch)

September 3, 2024 - CVE 2024-45230¶

Potential denial-of-service vulnerability in django.utils.html.urlize(). Full description

• Django 5.1 (patch)

• Django 5.0 (patch)

• Django 4.2 (patch)

August 6, 2024 - CVE 2024-42005¶

Potential SQL injection in QuerySet.values() and values_list(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

August 6, 2024 - CVE 2024-41991¶

Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

August 6, 2024 - CVE 2024-41990¶

Potential denial-of-service vulnerability in django.utils.html.urlize(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

August 6, 2024 - CVE 2024-41989¶

Potential memory exhaustion in django.utils.numberformat.floatformat(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

July 9, 2024 - CVE 2024-39614¶

Potential denial-of-service in django.utils.translation.get_supported_language_variant(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

July 9, 2024 - CVE 2024-39330¶

Potential directory-traversal in django.core.files.storage.Storage.save(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

July 9, 2024 - CVE 2024-39329¶

Username enumeration through timing difference for users with unusable passwords. Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

July 9, 2024 - CVE 2024-38875¶

Potential denial-of-service in django.utils.html.urlize(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

March 4, 2024 - CVE 2024-27351¶

Potential regular expression denial-of-service in django.utils.text.Truncator.words(). Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

• Django 3.2 (patch)

February 6, 2024 - CVE 2024-24680¶

Potential denial-of-service in intcomma template filter. Full description

• Django 5.0 (patch)

• Django 4.2 (patch)

• Django 3.2 (patch)

November 1, 2023 - CVE 2023-46695¶

Potential denial of service vulnerability in UsernameField on Windows. Full description

• Django 4.2 (patch)

• Django 4.1 (patch)

• Django 3.2 (patch)

October 4, 2023 - CVE 2023-43665¶

Denial-of-service possibility in django.utils.text.Truncator. Full description

• Django 4.2 (patch)

• Django 4.1 (patch)

• Django 3.2 (patch)

September 4, 2023 - CVE 2023-41164¶

Potential denial of service vulnerability in django.utils.encoding.uri_to_iri(). Full description

• Django 4.2 (patch)

• Django 4.1 (patch)

• Django 3.2 (patch)

July 3, 2023 - CVE 2023-36053¶

Potential regular expression denial of service vulnerability in EmailValidator/URLValidator. Full description

• Django 4.2 (patch)

• Django 4.1 (patch)

• Django 3.2 (patch)

May 3, 2023 - CVE 2023-31047¶

Potential bypass of validation when uploading multiple files using one form field. Full description

• Django 4.2 (patch)

• Django 4.1 (patch)

• Django 3.2 (patch)

February 14, 2023 - CVE 2023-24580¶

Potential denial-of-service vulnerability in file uploads. Full description

• Django 4.1 (patch)

• Django 4.0 (patch)

• Django 3.2 (patch)

February 1, 2023 - CVE 2023-23969¶

Potential denial-of-service via Accept-Language headers. Full description

• Django 4.1 (patch)

• Django 4.0 (patch)

• Django 3.2 (patch)

October 4, 2022 - CVE 2022-41323¶

Potential denial-of-service vulnerability in internationalized URLs. Full description

• Django 4.1 (patch)

• Django 4.0 (patch)

• Django 3.2 (patch)

August 3, 2022 - CVE 2022-36359¶

Potential reflected file download vulnerability in FileResponse. Full description

• Django 4.0 (patch)

• Django 3.2 (patch)

July 4, 2022 - CVE 2022-34265¶

Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments. Full description

• Django 4.0 (patch)

• Django 3.2 (patch)

April 11, 2022 - CVE 2022-28346¶

Potential SQL injection in QuerySet.annotate(), aggregate(), and extra(). Full description

• Django 4.0 (patch)

• Django 3.2 (patch)

• Django 2.2 (patch)

April 11, 2022 - CVE 2022-28347¶

Potential SQL injection via QuerySet.explain(**options) on PostgreSQL. Full description

• Django 4.0 (patch)

• Django 3.2 (patch)

• Django 2.2 (patch)

February 1, 2022 - CVE 2022-22818¶

Possible XSS via {% debug %} template tag. Full description

February 1, 2022 - CVE 2022-23833¶

Denial-of-service possibility in file uploads. Full description

January 4, 2022 - CVE 2021-45452¶

Potential directory-traversal via Storage.save(). Full description

January 4, 2022 - CVE 2021-45116¶

Potential information disclosure in dictsort template filter. Full description

January 4, 2022 - CVE 2021-45115¶

Denial-of-service possibility in UserAttributeSimilarityValidator. Full description

December 7, 2021 - CVE 2021-44420¶

Potential bypass of an upstream access control based on URL paths. Full description

July 1, 2021 - CVE 2021-35042¶

Potential SQL injection via unsanitized QuerySet.order_by() input. Full description

June 2, 2021 - CVE 2021-33203¶

Potential directory traversal via admindocs. Full description

June 2, 2021 - CVE 2021-33571¶

Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description

May 6, 2021 - CVE 2021-32052¶

Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. Full description

May 4, 2021 - CVE 2021-31542¶

Potential directory-traversal via uploaded files. Full description

April 6, 2021 - CVE 2021-28658¶

Potential directory-traversal via uploaded files. Full description

February 19, 2021 - CVE 2021-23336¶

Web cache poisoning via django.utils.http.limited_parse_qsl(). Full description

February 1, 2021 - CVE 2021-3281¶

Potential directory-traversal via archive.extract(). Full description

September 1, 2020 - CVE 2020-24584¶

Permission escalation in intermediate-level directories of the file system cache on Python 3.7+. Full description

September 1, 2020 - CVE 2020-24583¶

Incorrect permissions on intermediate-level directories on Python 3.7+. Full description

June 3, 2020 - CVE 2020-13596¶

Possible XSS via admin ForeignKeyRawIdWidget. Full description

June 3, 2020 - CVE 2020-13254¶

Potential data leakage via malformed memcached keys. Full description

March 4, 2020 - CVE 2020-9402¶

Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle. Full description

February 3, 2020 - CVE 2020-7471¶

Potential SQL injection via StringAgg(delimiter). Full description

December 18, 2019 - CVE 2019-19844¶

Potential account hijack via password reset form. Full description

December 2, 2019 - CVE 2019-19118¶

Privilege escalation in the Django admin. Full description

August 1, 2019 - CVE 2019-14235¶

Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full description

August 1, 2019 - CVE 2019-14234¶

SQL injection possibility in key and index lookups for JSONField/HStoreField. Full description

August 1, 2019 - CVE 2019-14233¶

Denial-of-service possibility in strip_tags(). Full description

August 1, 2019 - CVE 2019-14232¶

Denial-of-service possibility in django.utils.text.Truncator. Full description

July 1, 2019 - CVE 2019-12781¶

Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description

June 3, 2019 - CVE 2019-12308¶

XSS via "Current URL" link generated by AdminURLFieldWidget. Full description

June 3, 2019 - CVE 2019-11358¶

Prototype pollution in bundled jQuery. Full description

February 11, 2019 - CVE 2019-6975¶

Memory exhaustion in django.utils.numberformat.format(). Full description

January 4, 2019 - CVE 2019-3498¶

Content spoofing possibility in the default 404 page. Full description

October 1, 2018 - CVE 2018-16984¶

Password hash disclosure to "view only" admin users. Full description

August 1, 2018 - CVE 2018-14574¶

Open redirect possibility in CommonMiddleware. Full description

March 6, 2018 - CVE 2018-7537¶

Denial-of-service possibility in truncatechars_html and truncatewords_html template filters. Full description

March 6, 2018 - CVE 2018-7536¶

Denial-of-service possibility in urlize and urlizetrunc template filters. Full description

February 1, 2018 - CVE 2018-6188¶

Information leakage in AuthenticationForm. Full description

5 September 2017 - CVE 2017-12794¶

Kemungkinan XSS di melacak kembali bagian dari halaman teknis mencari kesalahan 500. Full description

4 April 2017 - CVE 2017-7234¶

Membuka kerentanan pangalihan dalam django.views.static.serve(). Full description

4 April 2017 - CVE 2017-7233¶

Dibuka pengalihan dan kemungkinan serangan XSS melalui URL pengalihan numerik disokong-pengguna. Full description

1 November 2016 - CVE 2016-9014¶

Kerentanan mengikat kembali ketika DEBUG=True. Full description

1 November 2016 - CVE 2016-9013¶

Pengguna dengan sandi kode keras sandi dibuat ketika menjalankan percobaan pada Oracle. Full description

26 September 2016 - CVE 2016-7401¶

Pemotongan perlindungan CSRF pada situs dengan Google Analytics. Full description

18 Juli 2016 - CVE 2016-6186¶

XSS dalam popup terkait tambah/rubah admin. Full description

1 Maret 2016 - CVE 2016-2513¶

Pendaftaran pengguna melalui perbedaan pewaktu pada peningkatan faktor pekerjaan pengacak sandi. Full description

1 Maret 2016 - CVE 2016-2512¶

Pengalihan dan kemungkinsn serangan XSS jelek melalui URL pengalihan diberikan-pengguna mengandung autentifikasi dasar. Full description

1 Februari 2016 - CVE 2016-2048¶

Pengguna dengan "change" tetapi tidak "add" perizinan dapat membuat obyek untuk ModelAdmin dengan save_as=True. Full description

24 November 2015 - CVE 2015-8213¶

Menyetel kemungkinan bocor di penyaring cetakan date. Full description

18 Agustus 2015 - CVE 2015-5963 / CVE 2015-5964¶

Kemungkinan denial-of-service di tampilan logout() dengan mengisi toko sesi. Full description

8 Juli 2015 - CVE 2015-5145¶

Kemungkinan denial-of-service di pengesahan URL. Full description

8 Juli 2015 - CVE 2015-5144¶

Kemungkinan suntikan kepala sejak pengesah menerima baris baru di masukan. Full description

8 Juli 2015 - CVE 2015-5143¶

Kemungkinan denial-of-service dengan mengisi toko sesi. Full description

20 Mei 2015 - CVE 2015-3982¶

Diperbaiki pembilasan sesi di backend cached_db. Full description

18 Maret 2015 - CVE 2015-2317¶

Dikurangi kemungkinan serangan XSS melalui URL pengalihan diberikan-pengguna. Full description

18 Maret 2015 - CVE 2015-2316¶

Kemungkinan denial-of-service dengan strip_tags(). Full description

9 Maret 2015 - CVE 2015-2241¶

Serangan XSS melalui sifat di ModelAdmin.readonly_fields. Full description

13 januari 2015 - CVE 2015-0222¶

Denial-of-service basisdata dengan ModelMultipleChoiceField. Full description

13 Januari 2015 - CVE 2015-0221¶

Serangan denial-of-service terhadap django.views.static.serve(). Full description

13 Januari 2015 - CVE 2015-0220¶

Dikurangi kemungkinan serangan XSS melalui URL pengalihan diberikan-pengguna. Full description

13 Januari 2015 - CVE 2015-0219¶

Menipu kepala WSGI melalui garis bawah/penggabungan tanda garis. Full description

20 Agustus 2014 - CVE 2014-0483¶

Kebocoran data melalui memanipulasi querystring di admin. Full description

20 Agustus 2014 - CVE 2014-0482¶

Pembajakan sesi RemoteUserMiddleware. Full description

20 Agustus 2014 - CVE 2014-0481¶

Unggah berkas denial of service. Full description

20 Agustus 2014 - CVE 2014-0480¶

reverse()` dapat membangkitkan URL menunjuk ke rumah lain. Full description

18 Mei 2014 - CVE 2014-3730¶

URL jelek dari masukan pengguna tidak benar disahkan. Full description

18 Mei 2014 - CVE 2014-1418¶

Tembolok mungkin diizinkan untuk menyimpan dan melayani data pribadi. Full description

21 April 2014 - CVE 2014-0474¶

Typecast MySQL menyebabkan hasil permintaan yang tidak diharapkan. Full description

21 April 2014 - CVE 2014-0473¶

Cache dari halaman anonim dapat mengungkap token CSRF. Full description

21 April 2014 - CVE 2014-0472¶

Pengerjaan kode tidak diharapkan menggunakan reverse(). Full description

14 September 2013 - CVE 2013-1443¶

Denial-of-service melalui sandi besar. Full description

10 September 2013 - CVE 2013-4315¶

Lintasan-direktori melalui etiket cetakan ssi. Full description

13 Agustus 2013 - CVE 2013-6044¶

Kemungkinan XSS melalui skema pengalihan URL tidak disahkan. Full description

13 Agustus 2013 - CVE 2013-4249¶

XSS melalui nilai-nilai URLField dipercaya admin. Full description

19 Februari 2013 - CVE 2013-0306¶

Denial-of-service melalui memotong max_num formset. Full description

19 Februari 2013 - CVE 2013-0305¶

Kebocoran informasi melalui catatan riwayat admin. Full description

19 Februari 2013 - CVE 2013-1664 / CVE 2013-1665¶

Serangan berdasarkan-masukan terhadap pustaka XML Python. Full description

Februari 19, 2013 - No CVE¶

Tambahan pengerasan dari penanganan kepala Host. Full description

Desember 10, 2012 - No CVE 2¶

Tambahan pengerasan dari pengalihan pengesahan. Full description

Desember 10, 2012 - No CVE 1¶

Tambahan pengerasan dari penanganan kepala Host. Full description

17 Oktober 2012 - CVE 2012-4520¶

Peracunan kepala Host. Full description

30 Juli 2012 - CVE 2012-3444¶

Denial-of-service melalui berkas-berkas gambar. Full description

30 Juli 2012 - CVE 2012-3443¶

Denial-of-service melalui berkas-berkas gambar termampatkan. Full description

30 Juli 2012 - CVE 2012-3442¶

XSS melalui kegagalan untuk mensahkan skema pengalihan. Full description

9 September 2011 - CVE 2011-4140¶

Kemungkinan CSRF melalui kepala Host. Full description

9 September 2011 - CVE 2011-4139¶

Peracunan cache kepala Host. Full description

9 September 2011 - CVE 2011-4138¶

Pengeluaran permintaan kebocoran/berubah-ubah informasi melalui URLField.verify_exists. Full description

9 September 2011 - CVE 2011-4137¶

Denial-of-service melalui URLField.verify_exists. Full description

9 September 2011 - CVE 2011-4136¶

Manipulasi sesi ketika menggunakan sesi backend-cache-memori. Full description

8 Februari 2011 - CVE 2011-0698¶

Lintasan-direktori pada Windows melalui penanganan pemisah-jalur tidak benar. Full description

8 Februari 2011 - CVE 2011-0697¶

XSS melalui nama-nama tidak dibersihkan dari berkas-berkas terunggah. Full description

8 Februari 2011 - CVE 2011-0696¶

CSRF melalui kepala HTTP yang ditempa. Full description

22 Desember 2010 - CVE 2010-4535¶

Denial-of-service di mekanisme setel kembali-sandi. Full description

22 Desember 2010 - CVE 2010-4534¶

Kebocoran informasi di antarmuka administratif. Full description

8 September 2010 - CVE 2010-3082¶

XSS melalui nilai kue tidak aman dipercaya. Full description

October 9, 2009 - CVE 2009-3695¶

Denial-of-service melalui penampilan pernyataan regular patologi. Full description

28 Juli 2009 - CVE 2009-2659¶

Lintasan-direktori dalam penangan media peladen pengembangan. Full description

2 September 2008 - CVE 2008-3909¶

CSRF melalui pemeliharaan dari data POST selama masuk admin. Full description

14 mei 2008 - CVE 2008-2302¶

XSS melalui pengalihan masuk admin. Full description

26 Oktober 2007 - CVE 2007-5712¶

Denial-of-service melalui kepala Accept-Language besar-berubah-ubah. Full description

21 Januari 2007 - CVE 2007-0405¶

Kejelasan "caching" dari pengguna terautentifikasi. Full description

16 Agustus 2006 - CVE 2007-0404¶

Masalah pengesahan nama berkas di terjemahan kerangka kerja. Full description