Django - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

Product:
Django
(Djangoproject)

Repositories	https://github.com/django/django
#Vulnerabilities	115

Date	Id	Summary	Products	Score	Patch	Annotated
2024-10-08	CVE-2024-45230	An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.	Django	7.5
2024-10-08	CVE-2024-45231	An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).	Django	5.3
2024-08-07	CVE-2024-41989	An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.	Django	7.5
2023-05-07	CVE-2023-31047	In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.	Django, Fedora	9.8
2020-02-03	CVE-2020-7471	Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.	Django	9.8
2020-03-05	CVE-2020-9402	Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.	Ubuntu_linux, Debian_linux, Django, Fedora, Steelstore_cloud_integrated_storage	8.8
2020-06-03	CVE-2020-13254	An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.	Ubuntu_linux, Debian_linux, Django, Fedora, Sra_plugin, Steelstore_cloud_integrated_storage, Zfs_storage_appliance_kit	5.9
2020-06-03	CVE-2020-13596	An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.	Ubuntu_linux, Debian_linux, Django, Fedora, Sra_plugin, Steelstore_cloud_integrated_storage, Zfs_storage_appliance_kit	6.1
2020-09-01	CVE-2020-24583	An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.	Ubuntu_linux, Django, Fedora, Zfs_storage_appliance_kit	7.5
2020-09-01	CVE-2020-24584	An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.	Ubuntu_linux, Django, Fedora, Zfs_storage_appliance_kit	7.5