1. ==========================

  2. Archive of security issues

  3. ==========================

  4. 

  5. Django's development team is strongly committed to responsible

  6. reporting and disclosure of security-related issues, as outlined in

  7. :doc:`Django's security policies </internals/security>`.

  8. 

  9. As part of that commitment, we maintain the following historical list

  10. of issues which have been fixed and disclosed. For each issue, the

  11. list below includes the date, a brief description, the `CVE identifier

  12. <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`_

  13. if applicable, a list of affected versions, a link to the full

  14. disclosure and links to the appropriate patch(es).

  15. 

  16. Some important caveats apply to this information:

  17. 

  18. * Lists of affected versions include only those versions of Django

  19.   which had stable, security-supported releases at the time of

  20.   disclosure. This means older versions (whose security support had

  21.   expired) and versions which were in pre-release (alpha/beta/RC)

  22.   states at the time of disclosure may have been affected, but are not

  23.   listed.

  24. 

  25. * The Django project has on occasion issued security advisories,

  26.   pointing out potential security problems which can arise from

  27.   improper configuration or from other issues outside of Django

  28.   itself. Some of these advisories have received CVEs; when that is

  29.   the case, they are listed here, but as they have no accompanying

  30.   patches or releases, only the description, disclosure and CVE will

  31.   be listed.

  32. 

  33. Issues under Django's security process

  34. ======================================

  35. 

  36. All security issues have been handled under versions of Django's security

  37. process. These are listed below.

  38. 

  39. November 1, 2023 - :cve:`2023-46695`

  40. ------------------------------------

  41. 

  42. Potential denial of service vulnerability in ``UsernameField`` on Windows.

  43. `Full description

  44. <https://www.djangoproject.com/weblog/2023/nov/01/security-releases/>`__

  45. 

  46. * Django 4.2 :commit:`(patch) <048a9ebb6ea468426cb4e57c71572cbbd975517f>`

  47. * Django 4.1 :commit:`(patch) <4965bfdde2e5a5c883685019e57d123a3368a75e>`

  48. * Django 3.2 :commit:`(patch) <f9a7fb8466a7ba4857eaf930099b5258f3eafb2b>`

  49. 

  50. October 4, 2023 - :cve:`2023-43665`

  51. -----------------------------------

  52. 

  53. Denial-of-service possibility in ``django.utils.text.Truncator``.

  54. `Full description

  55. <https://www.djangoproject.com/weblog/2023/oct/04/security-releases/>`__

  56. 

  57. * Django 4.2 :commit:`(patch) <be9c27c4d18c2e6a5be8af4e53c0797440794473>`

  58. * Django 4.1 :commit:`(patch) <c7b7024742250414e426ad49fb80db943e7ba4e8>`

  59. * Django 3.2 :commit:`(patch) <ccdade1a0262537868d7ca64374de3d957ca50c5>`

  60. 

  61. September 4, 2023 - :cve:`2023-41164`

  62. -------------------------------------

  63. 

  64. Potential denial of service vulnerability in

  65. ``django.utils.encoding.uri_to_iri()``. `Full description

  66. <https://www.djangoproject.com/weblog/2023/sep/04/security-releases/>`__

  67. 

  68. * Django 4.2 :commit:`(patch) <9c51b4dcfa0cefcb48231f4d71cafa80821f87b9>`

  69. * Django 4.1 :commit:`(patch) <ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0>`

  70. * Django 3.2 :commit:`(patch) <6f030b1149bd8fa4ba90452e77cb3edc095ce54e>`

  71. 

  72. July 3, 2023 - :cve:`2023-36053`

  73. --------------------------------

  74. 

  75. Potential regular expression denial of service vulnerability in

  76. ``EmailValidator``/``URLValidator``. `Full description

  77. <https://www.djangoproject.com/weblog/2023/jul/03/security-releases/>`__

  78. 

  79. * Django 4.2 :commit:`(patch) <b7c5feb35a31799de6e582ad6a5a91a9de74e0f9>`

  80. * Django 4.1 :commit:`(patch) <beb3f3d55940d9aa7198bf9d424ab74e873aec3d>`

  81. * Django 3.2 :commit:`(patch) <454f2fb93437f98917283336201b4048293f7582>`

  82. 

  83. May 3, 2023 - :cve:`2023-31047`

  84. -------------------------------

  85. 

  86. Potential bypass of validation when uploading multiple files using one form

  87. field. `Full description

  88. <https://www.djangoproject.com/weblog/2023/may/03/security-releases/>`__

  89. 

  90. * Django 4.2 :commit:`(patch) <21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd>`

  91. * Django 4.1 :commit:`(patch) <e7c3a2ccc3a562328600be05068ed9149e12ce64>`

  92. * Django 3.2 :commit:`(patch) <eed53d0011622e70b936e203005f0e6f4ac48965>`

  93. 

  94. February 14, 2023 - :cve:`2023-24580`

  95. -------------------------------------

  96. 

  97. Potential denial-of-service vulnerability in file uploads. `Full description

  98. <https://www.djangoproject.com/weblog/2023/feb/14/security-releases/>`__

  99. 

  100. * Django 4.1 :commit:`(patch) <628b33a854a9c68ec8a0c51f382f304a0044ec92>`

  101. * Django 4.0 :commit:`(patch) <83f1ea83e4553e211c1c5a0dfc197b66d4e50432>`

  102. * Django 3.2 :commit:`(patch) <a665ed5179f5bbd3db95ce67286d0192eff041d8>`

  103. 

  104. February 1, 2023 - :cve:`2023-23969`

  105. ------------------------------------

  106. 

  107. Potential denial-of-service via ``Accept-Language`` headers. `Full description

  108. <https://www.djangoproject.com/weblog/2023/feb/01/security-releases/>`__

  109. 

  110. * Django 4.1 :commit:`(patch) <9d7bd5a56b1ce0576e8e07a8001373576d277942>`

  111. * Django 4.0 :commit:`(patch) <4452642f193533e288a52c02efb5bbc766a68f95>`

  112. * Django 3.2 :commit:`(patch) <c7e0151fdf33e1b11d488b6f67b94fdf3a30614a>`

  113. 

  114. October 4, 2022 - :cve:`2022-41323`

  115. -----------------------------------

  116. 

  117. Potential denial-of-service vulnerability in internationalized URLs. `Full

  118. description

  119. <https://www.djangoproject.com/weblog/2022/oct/04/security-releases/>`__

  120. 

  121. * Django 4.1 :commit:`(patch) <9d656ea51d9ea7105c0c0785783ac29d426a7d25>`

  122. * Django 4.0 :commit:`(patch) <23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1>`

  123. * Django 3.2 :commit:`(patch) <5b6b257fa7ec37ff27965358800c67e2dd11c924>`

  124. 

  125. August 3, 2022 - :cve:`2022-36359`

  126. ----------------------------------

  127. 

  128. Potential reflected file download vulnerability in FileResponse. `Full

  129. description

  130. <https://www.djangoproject.com/weblog/2022/aug/03/security-releases/>`__

  131. 

  132. * Django 4.0 :commit:`(patch) <b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3>`

  133. * Django 3.2 :commit:`(patch) <b3e4494d759202a3b6bf247fd34455bf13be5b80>`

  134. 

  135. July 4, 2022 - :cve:`2022-34265`

  136. --------------------------------

  137. 

  138. Potential SQL injection via ``Trunc(kind)`` and ``Extract(lookup_name)``

  139. arguments. `Full description

  140. <https://www.djangoproject.com/weblog/2022/jul/04/security-releases/>`__

  141. 

  142. * Django 4.0 :commit:`(patch) <0dc9c016fadb71a067e5a42be30164e3f96c0492>`

  143. * Django 3.2 :commit:`(patch) <a9010fe5555e6086a9d9ae50069579400ef0685e>`

  144. 

  145. April 11, 2022 - :cve:`2022-28346`

  146. ----------------------------------

  147. 

  148. Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and

  149. ``extra()``. `Full description

  150. <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>`__

  151. 

  152. * Django 4.0 :commit:`(patch) <800828887a0509ad1162d6d407e94d8de7eafc60>`

  153. * Django 3.2 :commit:`(patch) <2044dac5c6968441be6f534c4139bcf48c5c7e48>`

  154. * Django 2.2 :commit:`(patch) <2c09e68ec911919360d5f8502cefc312f9e03c5d>`

  155. 

  156. April 11, 2022 - :cve:`2022-28347`

  157. ----------------------------------

  158. 

  159. Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL.

  160. `Full description

  161. <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>`__

  162. 

  163. * Django 4.0 :commit:`(patch) <00b0fc50e1738c7174c495464a5ef069408a4402>`

  164. * Django 3.2 :commit:`(patch) <9e19accb6e0a00ba77d5a95a91675bf18877c72d>`

  165. * Django 2.2 :commit:`(patch) <29a6c98b4c13af82064f993f0acc6e8fafa4d3f5>`

  166. 

  167. February 1, 2022 - :cve:`2022-22818`

  168. ------------------------------------

  169. 

  170. Possible XSS via ``{% debug %}`` template tag. `Full description

  171. <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>`__

  172. 

  173. Versions affected

  174. ~~~~~~~~~~~~~~~~~

  175. 

  176. * Django 4.0 :commit:`(patch) <01422046065d2b51f8f613409cad2c81b39487e5>`

  177. * Django 3.2 :commit:`(patch) <1a1e8278c46418bde24c86a65443b0674bae65e2>`

  178. * Django 2.2 :commit:`(patch) <c27a7eb9f40b64990398978152e62b6ff839c2e6>`

  179. 

  180. February 1, 2022 - :cve:`2022-23833`

  181. ------------------------------------

  182. 

  183. Denial-of-service possibility in file uploads. `Full description

  184. <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>`__

  185. 

  186. Versions affected

  187. ~~~~~~~~~~~~~~~~~

  188. 

  189. * Django 4.0 :commit:`(patch) <f9c7d48fdd6f198a6494a9202f90242f176e4fc9>`

  190. * Django 3.2 :commit:`(patch) <d16133568ef9c9b42cb7a08bdf9ff3feec2e5468>`

  191. * Django 2.2 :commit:`(patch) <c477b761804984c932704554ad35f78a2e230c6a>`

  192. 

  193. January 4, 2022 - :cve:`2021-45452`

  194. ------------------------------------

  195. 

  196. Potential directory-traversal via ``Storage.save()``. `Full description

  197. <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>`__

  198. 

  199. Versions affected

  200. ~~~~~~~~~~~~~~~~~

  201. 

  202. * Django 4.0 :commit:`(patch) <e1592e0f26302e79856cc7f2218ae848ae19b0f6>`

  203. * Django 3.2 :commit:`(patch) <8d2f7cff76200cbd2337b2cf1707e383eb1fb54b>`

  204. * Django 2.2 :commit:`(patch) <4cb35b384ceef52123fc66411a73c36a706825e1>`

  205. 

  206. January 4, 2022 - :cve:`2021-45116`

  207. ------------------------------------

  208. 

  209. Potential information disclosure in ``dictsort`` template filter. `Full

  210. description

  211. <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>`__

  212. 

  213. Versions affected

  214. ~~~~~~~~~~~~~~~~~

  215. 

  216. * Django 4.0 :commit:`(patch) <2a8ec7f546d6d5806e221ec948c5146b55bd7489>`

  217. * Django 3.2 :commit:`(patch) <c7fe895bca06daf12cc1670b56eaf72a1ef27a16>`

  218. * Django 2.2 :commit:`(patch) <c9f648ccfac5ab90fb2829a66da4f77e68c7f93a>`

  219. 

  220. January 4, 2022 - :cve:`2021-45115`

  221. ------------------------------------

  222. 

  223. Denial-of-service possibility in ``UserAttributeSimilarityValidator``. `Full

  224. description

  225. <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>`__

  226. 

  227. Versions affected

  228. ~~~~~~~~~~~~~~~~~

  229. 

  230. * Django 4.0 :commit:`(patch) <df79ef03ac867c93caaa6be56bc69e66abfeef8f>`

  231. * Django 3.2 :commit:`(patch) <a8b32fe13bcaed1c0b772fdc53de84abc224fb20>`

  232. * Django 2.2 :commit:`(patch) <2135637fdd5ce994de110affef9e67dffdf77277>`

  233. 

  234. December 7, 2021 - :cve:`2021-44420`

  235. ------------------------------------

  236. 

  237. Potential bypass of an upstream access control based on URL paths. `Full

  238. description

  239. <https://www.djangoproject.com/weblog/2021/dec/07/security-releases/>`__

  240. 

  241. Versions affected

  242. ~~~~~~~~~~~~~~~~~

  243. 

  244. * Django 3.2 :commit:`(patch) <333c65603032c377e682cdbd7388657a5463a05a>`

  245. * Django 3.1 :commit:`(patch) <22bd17488159601bf0741b70ae7932bffea8eced>`

  246. * Django 2.2 :commit:`(patch) <7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7>`

  247. 

  248. July 1, 2021 - :cve:`2021-35042`

  249. --------------------------------

  250. 

  251. Potential SQL injection via unsanitized ``QuerySet.order_by()`` input. `Full

  252. description

  253. <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>`__

  254. 

  255. Versions affected

  256. ~~~~~~~~~~~~~~~~~

  257. 

  258. * Django 3.2 :commit:`(patch) <a34a5f724c5d5adb2109374ba3989ebb7b11f81f>`

  259. * Django 3.1 :commit:`(patch) <0bd57a879a0d54920bb9038a732645fb917040e9>`

  260. 

  261. June 2, 2021 - :cve:`2021-33203`

  262. --------------------------------

  263. 

  264. Potential directory traversal via ``admindocs``. `Full description

  265. <https://www.djangoproject.com/weblog/2021/jun/02/security-releases/>`__

  266. 

  267. Versions affected

  268. ~~~~~~~~~~~~~~~~~

  269. 

  270. * Django 3.2 :commit:`(patch) <dfaba12cda060b8b292ae1d271b44bf810b1c5b9>`

  271. * Django 3.1 :commit:`(patch) <20c67a0693c4ede2b09af02574823485e82e4c8f>`

  272. * Django 2.2 :commit:`(patch) <053cc9534d174dc89daba36724ed2dcb36755b90>`

  273. 

  274. June 2, 2021 - :cve:`2021-33571`

  275. --------------------------------

  276. 

  277. Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted

  278. leading zeros in IPv4 addresses. `Full description

  279. <https://www.djangoproject.com/weblog/2021/jun/02/security-releases/>`__

  280. 

  281. Versions affected

  282. ~~~~~~~~~~~~~~~~~

  283. 

  284. * Django 3.2 :commit:`(patch) <9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d>`

  285. * Django 3.1 :commit:`(patch) <203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e>`

  286. * Django 2.2 :commit:`(patch) <f27c38ab5d90f68c9dd60cabef248a570c0be8fc>`

  287. 

  288. May 6, 2021 - :cve:`2021-32052`

  289. -------------------------------

  290. 

  291. Header injection possibility since ``URLValidator`` accepted newlines in input

  292. on Python 3.9.5+. `Full description

  293. <https://www.djangoproject.com/weblog/2021/may/06/security-releases/>`__

  294. 

  295. Versions affected

  296. ~~~~~~~~~~~~~~~~~

  297. 

  298. * Django 3.2 :commit:`(patch) <2d2c1d0c97832860fbd6597977e2aae17dd7e5b2>`

  299. * Django 3.1 :commit:`(patch) <afb23f5929944a407e4990edef1c7806a94c9879>`

  300. * Django 2.2 :commit:`(patch) <d9594c4ea57b6309d93879805302cec9ae9f23ff>`

  301. 

  302. May 4, 2021 - :cve:`2021-31542`

  303. -------------------------------

  304. 

  305. Potential directory-traversal via uploaded files. `Full description

  306. <https://www.djangoproject.com/weblog/2021/may/04/security-releases/>`__

  307. 

  308. Versions affected

  309. ~~~~~~~~~~~~~~~~~

  310. 

  311. * Django 3.2 :commit:`(patch) <c98f446c188596d4ba6de71d1b77b4a6c5c2a007>`

  312. * Django 3.1 :commit:`(patch) <25d84d64122c15050a0ee739e859f22ddab5ac48>`

  313. * Django 2.2 :commit:`(patch) <04ac1624bdc2fa737188401757cf95ced122d26d>`

  314. 

  315. April 6, 2021 - :cve:`2021-28658`

  316. ---------------------------------

  317. 

  318. Potential directory-traversal via uploaded files. `Full description

  319. <https://www.djangoproject.com/weblog/2021/apr/06/security-releases/>`__

  320. 

  321. Versions affected

  322. ~~~~~~~~~~~~~~~~~

  323. 

  324. * Django 3.2 :commit:`(patch) <2820fd1be5dfccbf1216c3845fad8580502473e1>`

  325. * Django 3.1 :commit:`(patch) <cca0d98118cccf9ae0c6dcf2d6c57fc50469fbf0>`

  326. * Django 3.0 :commit:`(patch) <e7fba62248f604c76da4f23dcf1db4a57b0808ea>`

  327. * Django 2.2 :commit:`(patch) <4036d62bda0e9e9f6172943794b744a454ca49c2>`

  328. 

  329. February 19, 2021 - :cve:`2021-23336`

  330. -------------------------------------

  331. 

  332. Web cache poisoning via ``django.utils.http.limited_parse_qsl()``. `Full

  333. description

  334. <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>`__

  335. 

  336. Versions affected

  337. ~~~~~~~~~~~~~~~~~

  338. 

  339. * Django 3.2 :commit:`(patch) <be8237c7cce24b06aabde0b97afce98ddabbe3b6>`

  340. * Django 3.1 :commit:`(patch) <8f6d431b08cbb418d9144b976e7b972546607851>`

  341. * Django 3.0 :commit:`(patch) <326a926beef869d3341bc9ef737887f0449b6b71>`

  342. * Django 2.2 :commit:`(patch) <fd6b6afd5959b638c62dbf4839ccff97e7f7dfda>`

  343. 

  344. February 1, 2021 - :cve:`2021-3281`

  345. -----------------------------------

  346. 

  347. Potential directory-traversal via ``archive.extract()``. `Full description

  348. <https://www.djangoproject.com/weblog/2021/feb/01/security-releases/>`__

  349. 

  350. Versions affected

  351. ~~~~~~~~~~~~~~~~~

  352. 

  353. * Django 3.1 :commit:`(patch) <02e6592835b4559909aa3aaaf67988fef435f624>`

  354. * Django 3.0 :commit:`(patch) <52e409ed17287e9aabda847b6afe58be2fa9f86a>`

  355. * Django 2.2 :commit:`(patch) <21e7622dec1f8612c85c2fc37fe8efbfd3311e37>`

  356. 

  357. September 1, 2020 - :cve:`2020-24584`

  358. -------------------------------------

  359. 

  360. Permission escalation in intermediate-level directories of the file system

  361. cache on Python 3.7+. `Full description

  362. <https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>`__

  363. 

  364. Versions affected

  365. ~~~~~~~~~~~~~~~~~

  366. 

  367. * Django 3.1 :commit:`(patch) <2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b>`

  368. * Django 3.0 :commit:`(patch) <cdb367c92a0ba72ddc0cbd13ff42b0e6df709554>`

  369. * Django 2.2 :commit:`(patch) <a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f>`

  370. 

  371. September 1, 2020 - :cve:`2020-24583`

  372. -------------------------------------

  373. 

  374. Incorrect permissions on intermediate-level directories on Python 3.7+. `Full

  375. description

  376. <https://www.djangoproject.com/weblog/2020/sep/01/security-releases/>`__

  377. 

  378. Versions affected

  379. ~~~~~~~~~~~~~~~~~

  380. 

  381. * Django 3.1 :commit:`(patch) <934430d22aa5d90c2ba33495ff69a6a1d997d584>`

  382. * Django 3.0 :commit:`(patch) <08892bffd275c79ee1f8f67639eb170aaaf1181e>`

  383. * Django 2.2 :commit:`(patch) <375657a71c889c588f723469bd868bd1d40c369f>`

  384. 

  385. June 3, 2020 - :cve:`2020-13596`

  386. --------------------------------

  387. 

  388. Possible XSS via admin ``ForeignKeyRawIdWidget``. `Full description

  389. <https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>`__

  390. 

  391. Versions affected

  392. ~~~~~~~~~~~~~~~~~

  393. 

  394. * Django 3.0 :commit:`(patch) <1f2dd37f6fcefdd10ed44cb233b2e62b520afb38>`

  395. * Django 2.2 :commit:`(patch) <6d61860b22875f358fac83d903dc629897934815>`

  396. 

  397. June 3, 2020 - :cve:`2020-13254`

  398. --------------------------------

  399. 

  400. Potential data leakage via malformed memcached keys. `Full description

  401. <https://www.djangoproject.com/weblog/2020/jun/03/security-releases/>`__

  402. 

  403. Versions affected

  404. ~~~~~~~~~~~~~~~~~

  405. 

  406. * Django 3.0 :commit:`(patch) <84b2da5552e100ae3294f564f6c862fef8d0e693>`

  407. * Django 2.2 :commit:`(patch) <07e59caa02831c4569bbebb9eb773bdd9cb4b206>`

  408. 

  409. March 4, 2020 - :cve:`2020-9402`

  410. --------------------------------

  411. 

  412. Potential SQL injection via ``tolerance`` parameter in GIS functions and

  413. aggregates on Oracle. `Full description

  414. <https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>`__

  415. 

  416. Versions affected

  417. ~~~~~~~~~~~~~~~~~

  418. 

  419. * Django 3.0 :commit:`(patch) <26a5cf834526e291db00385dd33d319b8271fc4c>`

  420. * Django 2.2 :commit:`(patch) <fe886a3b58a93cfbe8864b485f93cb6d426cd1f2>`

  421. * Django 1.11 :commit:`(patch) <02d97f3c9a88adc890047996e5606180bd1c6166>`

  422. 

  423. February 3, 2020 - :cve:`2020-7471`

  424. -----------------------------------

  425. 

  426. Potential SQL injection via ``StringAgg(delimiter)``. `Full description

  427. <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>`__

  428. 

  429. Versions affected

  430. ~~~~~~~~~~~~~~~~~

  431. 

  432. * Django 3.0 :commit:`(patch) <505826b469b16ab36693360da9e11fd13213421b>`

  433. * Django 2.2 :commit:`(patch) <c67a368c16e4680b324b4f385398d638db4d8147>`

  434. * Django 1.11 :commit:`(patch) <001b0634cd309e372edb6d7d95d083d02b8e37bd>`

  435. 

  436. December 18, 2019 - :cve:`2019-19844`

  437. -------------------------------------

  438. 

  439. Potential account hijack via password reset form. `Full description

  440. <https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>`__

  441. 

  442. Versions affected

  443. ~~~~~~~~~~~~~~~~~

  444. 

  445. * Django 3.0 :commit:`(patch) <302a4ff1e8b1c798aab97673909c7a3dfda42c26>`

  446. * Django 2.2 :commit:`(patch) <4d334bea06cac63dc1272abcec545b85136cca0e>`

  447. * Django 1.11 :commit:`(patch) <f4cff43bf921fcea6a29b726eb66767f67753fa2>`

  448. 

  449. December 2, 2019 - :cve:`2019-19118`

  450. ------------------------------------

  451. 

  452. Privilege escalation in the Django admin. `Full description

  453. <https://www.djangoproject.com/weblog/2019/dec/02/security-releases/>`__

  454. 

  455. Versions affected

  456. ~~~~~~~~~~~~~~~~~

  457. 

  458. * Django 3.0 :commit:`(patch) <092cd66cf3c3e175acce698d6ca2012068d878fa>`

  459. * Django 2.2 :commit:`(patch) <36f580a17f0b3cb087deadf3b65eea024f479c21>`

  460. * Django 2.1 :commit:`(patch) <103ebe2b5ff1b2614b85a52c239f471904d26244>`

  461. 

  462. August 1, 2019 - :cve:`2019-14235`

  463. ----------------------------------

  464. 

  465. Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``. `Full

  466. description

  467. <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>`__

  468. 

  469. Versions affected

  470. ~~~~~~~~~~~~~~~~~

  471. 

  472. * Django 2.2 :commit:`(patch) <cf694e6852b0da7799f8b53f1fb2f7d20cf17534>`

  473. * Django 2.1 :commit:`(patch) <5d50a2e5fa36ad23ab532fc54cf4073de84b3306>`

  474. * Django 1.11 :commit:`(patch) <869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79>`

  475. 

  476. August 1, 2019 - :cve:`2019-14234`

  477. ----------------------------------

  478. 

  479. SQL injection possibility in key and index lookups for

  480. ``JSONField``/``HStoreField``. `Full description

  481. <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>`__

  482. 

  483. Versions affected

  484. ~~~~~~~~~~~~~~~~~

  485. 

  486. * Django 2.2 :commit:`(patch) <4f5b58f5cd3c57fee9972ab074f8dc6895d8f387>`

  487. * Django 2.1 :commit:`(patch) <f74b3ae3628c26e1b4f8db3d13a91d52a833a975>`

  488. * Django 1.11 :commit:`(patch) <ed682a24fca774818542757651bfba576c3fc3ef>`

  489. 

  490. August 1, 2019 - :cve:`2019-14233`

  491. ----------------------------------

  492. 

  493. Denial-of-service possibility in ``strip_tags()``. `Full description

  494. <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>`__

  495. 

  496. Versions affected

  497. ~~~~~~~~~~~~~~~~~

  498. 

  499. * Django 2.2 :commit:`(patch) <e34f3c0e9ee5fc9022428fe91640638bafd4cda7>`

  500. * Django 2.1 :commit:`(patch) <5ff8e791148bd451180124d76a55cb2b2b9556eb>`

  501. * Django 1.11 :commit:`(patch) <52479acce792ad80bb0f915f20b835f919993c72>`

  502. 

  503. 

  504. August 1, 2019 - :cve:`2019-14232`

  505. ----------------------------------

  506. 

  507. Denial-of-service possibility in ``django.utils.text.Truncator``. `Full

  508. description <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>`__

  509. 

  510. Versions affected

  511. ~~~~~~~~~~~~~~~~~

  512. 

  513. * Django 2.2 :commit:`(patch) <c3289717c6f21a8cf23daff1c78c0c014b94041f>`

  514. * Django 2.1 :commit:`(patch) <c23723a1551340cc7d3126f04fcfd178fa224193>`

  515. * Django 1.11 :commit:`(patch) <42a66e969023c00536256469f0e8b8a099ef109d>`

  516. 

  517. July 1, 2019 - :cve:`2019-12781`

  518. --------------------------------

  519. 

  520. Incorrect HTTP detection with reverse-proxy connecting via HTTPS. `Full

  521. description <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>`__

  522. 

  523. Versions affected

  524. ~~~~~~~~~~~~~~~~~

  525. 

  526. * Django 2.2 :commit:`(patch) <77706a3e4766da5d5fb75c4db22a0a59a28e6cd6>`

  527. * Django 2.1 :commit:`(patch) <1e40f427bb8d0fb37cc9f830096a97c36c97af6f>`

  528. * Django 1.11 :commit:`(patch) <32124fc41e75074141b05f10fc55a4f01ff7f050>`

  529. 

  530. June 3, 2019 - :cve:`2019-12308`

  531. --------------------------------

  532. 

  533. XSS via "Current URL" link generated by ``AdminURLFieldWidget``. `Full

  534. description <https://www.djangoproject.com/weblog/2019/jun/03/security-releases/>`__

  535. 

  536. Versions affected

  537. ~~~~~~~~~~~~~~~~~

  538. 

  539. * Django 2.2 :commit:`(patch) <afddabf8428ddc89a332f7a78d0d21eaf2b5a673>`

  540. * Django 2.1 :commit:`(patch) <09186a13d975de6d049f8b3e05484f66b01ece62>`

  541. * Django 1.11 :commit:`(patch) <c238701859a52d584f349cce15d56c8e8137c52b>`

  542. 

  543. June 3, 2019 - :cve:`2019-11358`

  544. --------------------------------

  545. 

  546. Prototype pollution in bundled jQuery. `Full description

  547. <https://www.djangoproject.com/weblog/2019/jun/03/security-releases/>`__

  548. 

  549. Versions affected

  550. ~~~~~~~~~~~~~~~~~

  551. 

  552. * Django 2.2 :commit:`(patch) <baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad>`

  553. * Django 2.1 :commit:`(patch) <95649bc08547a878cebfa1d019edec8cb1b80829>`

  554. 

  555. February 11, 2019 - :cve:`2019-6975`

  556. ------------------------------------

  557. 

  558. Memory exhaustion in ``django.utils.numberformat.format()``. `Full description

  559. <https://www.djangoproject.com/weblog/2019/feb/11/security-releases/>`__

  560. 

  561. Versions affected

  562. ~~~~~~~~~~~~~~~~~

  563. 

  564. * Django 2.1 :commit:`(patch) <40cd19055773705301c3428ed5e08a036d2091f3>`

  565. * Django 2.0 :commit:`(patch <1f42f82566c9d2d73aff1c42790d6b1b243f7676>` and

  566.   :commit:`correction) <392e040647403fc8007708d52ce01d915b014849>`

  567. * Django 1.11 :commit:`(patch) <0bbb560183fabf0533289700845dafa94951f227>`

  568. 

  569. January 4, 2019 - :cve:`2019-3498`

  570. ----------------------------------

  571. 

  572. Content spoofing possibility in the default 404 page. `Full description

  573. <https://www.djangoproject.com/weblog/2019/jan/04/security-releases/>`__

  574. 

  575. Versions affected

  576. ~~~~~~~~~~~~~~~~~

  577. 

  578. * Django 2.1 :commit:`(patch) <64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b>`

  579. * Django 2.0 :commit:`(patch) <9f4ed7c94c62e21644ef5115e393ac426b886f2e>`

  580. * Django 1.11 :commit:`(patch) <1cd00fcf52d089ef0fe03beabd05d59df8ea052a>`

  581. 

  582. October 1, 2018 - :cve:`2018-16984`

  583. -----------------------------------

  584. 

  585. Password hash disclosure to "view only" admin users. `Full description

  586. <https://www.djangoproject.com/weblog/2018/oct/01/security-release/>`__

  587. 

  588. Versions affected

  589. ~~~~~~~~~~~~~~~~~

  590. 

  591. * Django 2.1 :commit:`(patch) <c4bd5b597e0aa2432e4c867b86650f18af117851>`

  592. 

  593. August 1, 2018 - :cve:`2018-14574`

  594. ----------------------------------

  595. 

  596. Open redirect possibility in ``CommonMiddleware``. `Full description

  597. <https://www.djangoproject.com/weblog/2018/aug/01/security-releases/>`__

  598. 

  599. Versions affected

  600. ~~~~~~~~~~~~~~~~~

  601. 

  602. * Django 2.1 :commit:`(patch) <c4e5ff7fdb5fce447675e90291fd33fddd052b3c>`

  603. * Django 2.0 :commit:`(patch) <6fffc3c6d420e44f4029d5643f38d00a39b08525>`

  604. * Django 1.11 :commit:`(patch) <d6eaee092709aad477a9894598496c6deec532ff>`

  605. 

  606. March 6, 2018 - :cve:`2018-7537`

  607. --------------------------------

  608. 

  609. Denial-of-service possibility in ``truncatechars_html`` and

  610. ``truncatewords_html`` template filters. `Full description

  611. <https://www.djangoproject.com/weblog/2018/mar/06/security-releases/>`__

  612. 

  613. Versions affected

  614. ~~~~~~~~~~~~~~~~~

  615. 

  616. * Django 2.0 :commit:`(patch) <94c5da1d17a6b0d378866c66b605102c19f7988c>`

  617. * Django 1.11 :commit:`(patch) <a91436360b79a6ff995c3e5018bcc666dfaf1539>`

  618. * Django 1.8  :commit:`(patch) <d17974a287a6ea2e361daff88fcc004cbd6835fa>`

  619. 

  620. March 6, 2018 - :cve:`2018-7536`

  621. --------------------------------

  622. 

  623. Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template

  624. filters. `Full description

  625. <https://www.djangoproject.com/weblog/2018/mar/06/security-releases/>`__

  626. 

  627. Versions affected

  628. ~~~~~~~~~~~~~~~~~

  629. 

  630. * Django 2.0 :commit:`(patch) <e157315da3ae7005fa0683ffc9751dbeca7306c8>`

  631. * Django 1.11 :commit:`(patch) <abf89d729f210c692a50e0ad3f75fb6bec6fae16>`

  632. * Django 1.8  :commit:`(patch) <1ca63a66ef3163149ad822701273e8a1844192c2>`

  633. 

  634. February 1, 2018 - :cve:`2018-6188`

  635. -----------------------------------

  636. 

  637. Information leakage in ``AuthenticationForm``. `Full description

  638. <https://www.djangoproject.com/weblog/2018/feb/01/security-releases/>`__

  639. 

  640. Versions affected

  641. ~~~~~~~~~~~~~~~~~

  642. 

  643. * Django 2.0 :commit:`(patch) <c37bb28677295f6edda61d8ac461014ef0d3aeb2>`

  644. * Django 1.11 :commit:`(patch) <57b95fedad5e0b83fc9c81466b7d1751c6427aae>`

  645. 

  646. September 5, 2017 - :cve:`2017-12794`

  647. -------------------------------------

  648. 

  649. Possible XSS in traceback section of technical 500 debug page. `Full

  650. description <https://www.djangoproject.com/weblog/2017/sep/05/security-releases/>`__

  651. 

  652. Versions affected

  653. ~~~~~~~~~~~~~~~~~

  654. 

  655. * Django 1.11 :commit:`(patch) <e35a0c56086924f331e9422daa266e907a4784cc>`

  656. * Django 1.10 :commit:`(patch) <58e08e80e362db79eb0fd775dc81faad90dca47a>`

  657. 

  658. April 4, 2017 - :cve:`2017-7234`

  659. --------------------------------

  660. 

  661. Open redirect vulnerability in ``django.views.static.serve()``. `Full

  662. description <https://www.djangoproject.com/weblog/2017/apr/04/security-releases/>`__

  663. 

  664. Versions affected

  665. ~~~~~~~~~~~~~~~~~

  666. 

  667. * Django 1.10 :commit:`(patch) <2a9f6ef71b8e23fd267ee2be1be26dde8ab67037>`

  668. * Django 1.9 :commit:`(patch) <5f1ffb07afc1e59729ce2b283124116d6c0659e4>`

  669. * Django 1.8 :commit:`(patch) <4a6b945dffe8d10e7cec107d93e6efaebfbded29>`

  670. 

  671. April 4, 2017 - :cve:`2017-7233`

  672. --------------------------------

  673. 

  674. Open redirect and possible XSS attack via user-supplied numeric redirect URLs.

  675. `Full description <https://www.djangoproject.com/weblog/2017/apr/04/security-releases/>`__

  676. 

  677. Versions affected

  678. ~~~~~~~~~~~~~~~~~

  679. 

  680. * Django 1.10 :commit:`(patch) <f824655bc2c50b19d2f202d7640785caabc82787>`

  681. * Django 1.9 :commit:`(patch) <254326cb3682389f55f886804d2c43f7b9f23e4f>`

  682. * Django 1.8 :commit:`(patch) <8339277518c7d8ec280070a780915304654e3b66>`

  683. 

  684. November 1, 2016 - :cve:`2016-9014`

  685. -----------------------------------

  686. 

  687. DNS rebinding vulnerability when ``DEBUG=True``. `Full description

  688. <https://www.djangoproject.com/weblog/2016/nov/01/security-releases/>`__

  689. 

  690. Versions affected

  691. ~~~~~~~~~~~~~~~~~

  692. 

  693. * Django 1.10 :commit:`(patch) <884e113838e5a72b4b0ec9e5e87aa480f6aa4472>`

  694. * Django 1.9 :commit:`(patch) <45acd6d836895a4c36575f48b3fb36a3dae98d19>`

  695. * Django 1.8 :commit:`(patch) <c401ae9a7dfb1a94a8a61927ed541d6f93089587>`

  696. 

  697. November 1, 2016 - :cve:`2016-9013`

  698. -----------------------------------

  699. 

  700. User with hardcoded password created when running tests on Oracle. `Full

  701. description <https://www.djangoproject.com/weblog/2016/nov/01/security-releases/>`__

  702. 

  703. Versions affected

  704. ~~~~~~~~~~~~~~~~~

  705. 

  706. * Django 1.10 :commit:`(patch) <34e10720d81b8d407aa14d763b6a7fe8f13b4f2e>`

  707. * Django 1.9 :commit:`(patch) <4844d86c7728c1a5a3bbce4ad336a8d32304072b>`

  708. * Django 1.8 :commit:`(patch) <70f99952965a430daf69eeb9947079aae535d2d0>`

  709. 

  710. September 26, 2016 - :cve:`2016-7401`

  711. -------------------------------------

  712. 

  713. CSRF protection bypass on a site with Google Analytics. `Full description

  714. <https://www.djangoproject.com/weblog/2016/sep/26/security-releases/>`__

  715. 

  716. Versions affected

  717. ~~~~~~~~~~~~~~~~~

  718. 

  719. * Django 1.9 :commit:`(patch) <d1bc980db1c0fffd6d60677e62f70beadb9fe64a>`

  720. * Django 1.8 :commit:`(patch) <6118ab7d0676f0d622278e5be215f14fb5410b6a>`

  721. 

  722. July 18, 2016 - :cve:`2016-6186`

  723. --------------------------------

  724. 

  725. XSS in admin's add/change related popup. `Full description

  726. <https://www.djangoproject.com/weblog/2016/jul/18/security-releases/>`__

  727. 

  728. Versions affected

  729. ~~~~~~~~~~~~~~~~~

  730. 

  731. * Django 1.9 :commit:`(patch) <d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158>`

  732. * Django 1.8 :commit:`(patch) <f68e5a99164867ab0e071a936470958ed867479d>`

  733. 

  734. March 1, 2016 - :cve:`2016-2513`

  735. --------------------------------

  736. 

  737. User enumeration through timing difference on password hasher work factor

  738. upgrade. `Full description

  739. <https://www.djangoproject.com/weblog/2016/mar/01/security-releases/>`__

  740. 

  741. Versions affected

  742. ~~~~~~~~~~~~~~~~~

  743. 

  744. * Django 1.9 :commit:`(patch) <af7d09b0c5c6ab68e629fd9baf736f9dd203b18e>`

  745. * Django 1.8 :commit:`(patch) <f4e6e02f7713a6924d16540be279909ff4091eb6>`

  746. 

  747. March 1, 2016 - :cve:`2016-2512`

  748. --------------------------------

  749. 

  750. Malicious redirect and possible XSS attack via user-supplied redirect URLs

  751. containing basic auth. `Full description

  752. <https://www.djangoproject.com/weblog/2016/mar/01/security-releases/>`__

  753. 

  754. Versions affected

  755. ~~~~~~~~~~~~~~~~~

  756. 

  757. * Django 1.9 :commit:`(patch) <fc6d147a63f89795dbcdecb0559256470fff4380>`

  758. * Django 1.8 :commit:`(patch) <382ab137312961ad62feb8109d70a5a581fe8350>`

  759. 

  760. February 1, 2016 - :cve:`2016-2048`

  761. -----------------------------------

  762. 

  763. User with "change" but not "add" permission can create objects for

  764. ``ModelAdmin``’s with ``save_as=True``. `Full description

  765. <https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/>`__

  766. 

  767. Versions affected

  768. ~~~~~~~~~~~~~~~~~

  769. 

  770. * Django 1.9 :commit:`(patch) <adbca5e4db42542575734b8e5d26961c8ada7265>`

  771. 

  772. November 24, 2015 - :cve:`2015-8213`

  773. ------------------------------------

  774. 

  775. Settings leak possibility in ``date`` template filter. `Full description

  776. <https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/>`__

  777. 

  778. Versions affected

  779. ~~~~~~~~~~~~~~~~~

  780. 

  781. * Django 1.8 :commit:`(patch) <9f83fc2f66f5a0bac7c291aec55df66050bb6991>`

  782. * Django 1.7 :commit:`(patch) <8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`

  783. 

  784. August 18, 2015 - :cve:`2015-5963` / :cve:`2015-5964`

  785. -----------------------------------------------------

  786. 

  787. Denial-of-service possibility in ``logout()`` view by filling session store.

  788. `Full description <https://www.djangoproject.com/weblog/2015/aug/18/security-releases/>`__

  789. 

  790. Versions affected

  791. ~~~~~~~~~~~~~~~~~

  792. 

  793. * Django 1.8 :commit:`(patch) <2eb86b01d7b59be06076f6179a454d0fd0afaff6>`

  794. * Django 1.7 :commit:`(patch) <2f5485346ee6f84b4e52068c04e043092daf55f7>`

  795. * Django 1.4 :commit:`(patch) <575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`

  796. 

  797. July 8, 2015 - :cve:`2015-5145`

  798. -------------------------------

  799. 

  800. Denial-of-service possibility in URL validation. `Full description

  801. <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__

  802. 

  803. Versions affected

  804. ~~~~~~~~~~~~~~~~~

  805. 

  806. * Django 1.8 :commit:`(patch) <8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`

  807. 

  808. July 8, 2015 - :cve:`2015-5144`

  809. -------------------------------

  810. 

  811. Header injection possibility since validators accept newlines in input. `Full

  812. description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__

  813. 

  814. Versions affected

  815. ~~~~~~~~~~~~~~~~~

  816. 

  817. * Django 1.8 :commit:`(patch) <574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`

  818. * Django 1.7 :commit:`(patch) <ae49b4d994656bc037513dcd064cb9ce5bb85649>`

  819. * Django 1.4 :commit:`(patch) <1ba1cdce7d58e6740fe51955d945b56ae51d072a>`

  820. 

  821. July 8, 2015 - :cve:`2015-5143`

  822. -------------------------------

  823. 

  824. Denial-of-service possibility by filling session store. `Full

  825. description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__

  826. 

  827. Versions affected

  828. ~~~~~~~~~~~~~~~~~

  829. 

  830. * Django 1.8 :commit:`(patch) <66d12d1ababa8f062857ee5eb43276493720bf16>`

  831. * Django 1.7 :commit:`(patch) <1828f4341ec53a8684112d24031b767eba557663>`

  832. * Django 1.4 :commit:`(patch) <2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`

  833. 

  834. May 20, 2015 - :cve:`2015-3982`

  835. -------------------------------

  836. 

  837. Fixed session flushing in the cached_db backend. `Full description

  838. <https://www.djangoproject.com/weblog/2015/may/20/security-release/>`__

  839. 

  840. Versions affected

  841. ~~~~~~~~~~~~~~~~~

  842. 

  843. * Django 1.8 :commit:`(patch) <31cb25adecba930bdeee4556709f5a1c42d88fd6>`

  844. 

  845. March 18, 2015 - :cve:`2015-2317`

  846. ---------------------------------

  847. 

  848. Mitigated possible XSS attack via user-supplied redirect URLs. `Full

  849. description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__

  850. 

  851. Versions affected

  852. ~~~~~~~~~~~~~~~~~

  853. 

  854. * Django 1.4 :commit:`(patch) <2342693b31f740a422abf7267c53b4e7bc487c1b>`

  855. * Django 1.6 :commit:`(patch) <5510f070711540aaa8d3707776cd77494e688ef9>`

  856. * Django 1.7 :commit:`(patch) <2a4113dbd532ce952308992633d802dc169a75f1>`

  857. * Django 1.8 :commit:`(patch) <770427c2896a078925abfca2317486b284d22f04>`

  858. 

  859. March 18, 2015 - :cve:`2015-2316`

  860. ---------------------------------

  861. 

  862. Denial-of-service possibility with ``strip_tags()``. `Full description

  863. <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__

  864. 

  865. Versions affected

  866. ~~~~~~~~~~~~~~~~~

  867. 

  868. * Django 1.6 :commit:`(patch) <b6b3cb9899214a23ebb0f4ebf0e0b300b0ee524f>`

  869. * Django 1.7 :commit:`(patch) <e63363f8e075fa8d66326ad6a1cc3391cc95cd97>`

  870. * Django 1.8 :commit:`(patch) <5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`

  871. 

  872. March 9, 2015 - :cve:`2015-2241`

  873. --------------------------------

  874. 

  875. XSS attack via properties in ``ModelAdmin.readonly_fields``. `Full description

  876. <https://www.djangoproject.com/weblog/2015/mar/09/security-releases/>`__

  877. 

  878. Versions affected

  879. ~~~~~~~~~~~~~~~~~

  880. 

  881. * Django 1.7 :commit:`(patch) <d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059>`

  882. * Django 1.8 :commit:`(patch) <2654e1b93923bac55f12b4e66c5e39b16695ace5>`

  883. 

  884. January 13, 2015 - :cve:`2015-0222`

  885. -----------------------------------

  886. 

  887. Database denial-of-service with ``ModelMultipleChoiceField``. `Full description

  888. <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__

  889. 

  890. Versions affected

  891. ~~~~~~~~~~~~~~~~~

  892. 

  893. * Django 1.6 :commit:`(patch) <d7a06ee7e571b6dad07c0f5b519b1db02e2a476c>`

  894. * Django 1.7 :commit:`(patch) <bcfb47780ce7caecb409a9e9c1c314266e41d392>`

  895. 

  896. January 13, 2015 - :cve:`2015-0221`

  897. -----------------------------------

  898. 

  899. Denial-of-service attack against ``django.views.static.serve()``. `Full

  900. description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__

  901. 

  902. Versions affected

  903. ~~~~~~~~~~~~~~~~~

  904. 

  905. * Django 1.4 :commit:`(patch) <d020da6646c5142bc092247d218a3d1ce3e993f7>`

  906. * Django 1.6 :commit:`(patch) <553779c4055e8742cc832ed525b9ee34b174934f>`

  907. * Django 1.7 :commit:`(patch) <818e59a3f0fbadf6c447754d202d88df025f8f2a>`

  908. 

  909. January 13, 2015 - :cve:`2015-0220`

  910. -----------------------------------

  911. 

  912. Mitigated possible XSS attack via user-supplied redirect URLs. `Full

  913. description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__

  914. 

  915. Versions affected

  916. ~~~~~~~~~~~~~~~~~

  917. 

  918. * Django 1.4 :commit:`(patch) <4c241f1b710da6419d9dca160e80b23b82db7758>`

  919. * Django 1.6 :commit:`(patch) <72e0b033662faa11bb7f516f18a132728aa0ae28>`

  920. * Django 1.7 :commit:`(patch) <de67dedc771ad2edec15c1d00c083a1a084e1e89>`

  921. 

  922. January 13, 2015 - :cve:`2015-0219`

  923. -----------------------------------

  924. 

  925. WSGI header spoofing via underscore/dash conflation. `Full description

  926. <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__

  927. 

  928. Versions affected

  929. ~~~~~~~~~~~~~~~~~

  930. 

  931. * Django 1.4 :commit:`(patch) <4f6fffc1dc429f1ad428ecf8e6620739e8837450>`

  932. * Django 1.6 :commit:`(patch) <d7597b31d5c03106eeba4be14a33b32a5e25f4ee>`

  933. * Django 1.7 :commit:`(patch) <41b4bc73ee0da7b2e09f4af47fc1fd21144c710f>`

  934. 

  935. August 20, 2014 - :cve:`2014-0483`

  936. ----------------------------------

  937. 

  938. Data leakage via querystring manipulation in admin.

  939. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__

  940. 

  941. Versions affected

  942. ~~~~~~~~~~~~~~~~~

  943. 

  944. * Django 1.4 :commit:`(patch) <027bd348642007617518379f8b02546abacaa6e0>`

  945. * Django 1.5 :commit:`(patch) <2a446c896e7c814661fb9c4f212b071b2a7fa446>`

  946. * Django 1.6 :commit:`(patch) <f7c494f2506250b8cb5923714360a3642ed63e0f>`

  947. * Django 1.7 :commit:`(patch) <2b31342cdf14fc20e07c43d258f1e7334ad664a6>`

  948. 

  949. August 20, 2014 - :cve:`2014-0482`

  950. ----------------------------------

  951. 

  952. ``RemoteUserMiddleware`` session hijacking. `Full description

  953. <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__

  954. 

  955. Versions affected

  956. ~~~~~~~~~~~~~~~~~

  957. 

  958. * Django 1.4 :commit:`(patch) <c9e3b9949cd55f090591fbdc4a114fcb8368b6d9>`

  959. * Django 1.5 :commit:`(patch) <dd68f319b365f6cb38c5a6c106faf4f6142d7d88>`

  960. * Django 1.6 :commit:`(patch) <0268b855f9eab3377f2821164ef3e66037789e09>`

  961. * Django 1.7 :commit:`(patch) <1a45d059c70385fcd6f4a3955f3b4e4cc96d0150>`

  962. 

  963. August 20, 2014 - :cve:`2014-0481`

  964. ----------------------------------

  965. 

  966. File upload denial of service. `Full description

  967. <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__

  968. 

  969. Versions affected

  970. ~~~~~~~~~~~~~~~~~

  971. 

  972. * Django 1.4 :commit:`(patch) <30042d475bf084c6723c6217a21598d9247a9c41>`

  973. * Django 1.5 :commit:`(patch) <26cd48e166ac4d84317c8ee6d63ac52a87e8da99>`

  974. * Django 1.6 :commit:`(patch) <dd0c3f4ee1a30c1a1e6055061c6ba6e58c6b54d1>`

  975. * Django 1.7 :commit:`(patch) <3123f8452cf49071be9110e277eea60ba0032216>`

  976. 

  977. August 20, 2014 - :cve:`2014-0480`

  978. ----------------------------------

  979. 

  980. ``reverse()`` can generate URLs pointing to other hosts. `Full description

  981. <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__

  982. 

  983. Versions affected

  984. ~~~~~~~~~~~~~~~~~

  985. 

  986. * Django 1.4 :commit:`(patch) <c2fe73133b62a1d9e8f7a6b43966570b14618d7e>`

  987. * Django 1.5 :commit:`(patch) <45ac9d4fb087d21902469fc22643f5201d41a0cd>`

  988. * Django 1.6 :commit:`(patch) <da051da8df5e69944745072611351d4cfc6435d5>`

  989. * Django 1.7 :commit:`(patch) <bf650a2ee78c6d1f4544a875dcc777cf27fe93e9>`

  990. 

  991. May 18, 2014 - :cve:`2014-3730`

  992. -------------------------------

  993. 

  994. Malformed URLs from user input incorrectly validated. `Full description

  995. <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__

  996. 

  997. Versions affected

  998. ~~~~~~~~~~~~~~~~~

  999. 

  1000. * Django 1.4 :commit:`(patch) <7feb54bbae3f637ab3c4dd4831d4385964f574df>`

  1001. * Django 1.5 :commit:`(patch) <ad32c218850ad40972dcef57beb460f8c979dd6d>`

  1002. * Django 1.6 :commit:`(patch) <601107524523bca02376a0ddc1a06c6fdb8f22f3>`

  1003. * Django 1.7 :commit:`(patch) <e7b0cace455c2da24492660636bfd48c45a19cdf>`

  1004. 

  1005. May 18, 2014 - :cve:`2014-1418`

  1006. -------------------------------

  1007. 

  1008. Caches may be allowed to store and serve private data. `Full description

  1009. <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__

  1010. 

  1011. Versions affected

  1012. ~~~~~~~~~~~~~~~~~

  1013. 

  1014. * Django 1.4 :commit:`(patch) <28e23306aa53bbbb8fb87db85f99d970b051026c>`

  1015. * Django 1.5 :commit:`(patch) <4001ec8698f577b973c5a540801d8a0bbea1205b>`

  1016. * Django 1.6 :commit:`(patch) <1abcf3a808b35abae5d425ed4d44cb6e886dc769>`

  1017. * Django 1.7 :commit:`(patch) <7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a>`

  1018. 

  1019. April 21, 2014 - :cve:`2014-0474`

  1020. ---------------------------------

  1021. 

  1022. MySQL typecasting causes unexpected query results. `Full description

  1023. <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__

  1024. 

  1025. Versions affected

  1026. ~~~~~~~~~~~~~~~~~

  1027. 

  1028. * Django 1.4 :commit:`(patch) <aa80f498de6d687e613860933ac58433ab71ea4b>`

  1029. * Django 1.5 :commit:`(patch) <985434fb1d6bf2335bf96c6ebf91c3674f1f399f>`

  1030. * Django 1.6 :commit:`(patch) <5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292>`

  1031. * Django 1.7 :commit:`(patch) <34526c2f56b863c2103655a0893ac801667e86ea>`

  1032. 

  1033. April 21, 2014 - :cve:`2014-0473`

  1034. ---------------------------------

  1035. 

  1036. Caching of anonymous pages could reveal CSRF token. `Full description

  1037. <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__

  1038. 

  1039. Versions affected

  1040. ~~~~~~~~~~~~~~~~~

  1041. 

  1042. * Django 1.4 :commit:`(patch) <1170f285ddd6a94a65f911a27788ba49ca08c0b0>`

  1043. * Django 1.5 :commit:`(patch) <6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8>`

  1044. * Django 1.6 :commit:`(patch) <d63e20942f3024f24cb8cd85a49461ba8a9b6736>`

  1045. * Django 1.7 :commit:`(patch) <380545bf85cbf17fc698d136815b7691f8d023ca>`

  1046. 

  1047. April 21, 2014 - :cve:`2014-0472`

  1048. ---------------------------------

  1049. 

  1050. Unexpected code execution using ``reverse()``. `Full description

  1051. <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__

  1052. 

  1053. Versions affected

  1054. ~~~~~~~~~~~~~~~~~

  1055. 

  1056. * Django 1.4 :commit:`(patch) <c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535>`

  1057. * Django 1.5 :commit:`(patch) <2a5bcb69f42b84464b24b5c835dca6467b6aa7f1>`

  1058. * Django 1.6 :commit:`(patch) <4352a50871e239ebcdf64eee6f0b88e714015c1b>`

  1059. * Django 1.7 :commit:`(patch) <546740544d7f69254a67b06a3fc7fa0c43512958>`

  1060. 

  1061. September 14, 2013 - :cve:`2013-1443`

  1062. -------------------------------------

  1063. 

  1064. Denial-of-service via large passwords. `Full description

  1065. <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__

  1066. 

  1067. Versions affected

  1068. ~~~~~~~~~~~~~~~~~

  1069. 

  1070. * Django 1.4 :commit:`(patch <3f3d887a6844ec2db743fee64c9e53e04d39a368>` and :commit:`Python compatibility fix) <6903d1690a92aa040adfb0c8eb37cf62e4206714>`

  1071. * Django 1.5 :commit:`(patch) <22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`

  1072. 

  1073. September 10, 2013 - :cve:`2013-4315`

  1074. -------------------------------------

  1075. 

  1076. Directory-traversal via ``ssi`` template tag. `Full description

  1077. <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__

  1078. 

  1079. Versions affected

  1080. ~~~~~~~~~~~~~~~~~

  1081. 

  1082. * Django 1.4 :commit:`(patch) <87d2750b39f6f2d54b7047225521a44dcd37e896>`

  1083. * Django 1.5 :commit:`(patch) <988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`

  1084. 

  1085. August 13, 2013 - :cve:`2013-6044`

  1086. ----------------------------------

  1087. 

  1088. Possible XSS via unvalidated URL redirect schemes. `Full description

  1089. <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__

  1090. 

  1091. Versions affected

  1092. ~~~~~~~~~~~~~~~~~

  1093. 

  1094. * Django 1.4 :commit:`(patch) <ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`

  1095. * Django 1.5 :commit:`(patch) <1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`

  1096. 

  1097. August 13, 2013 - :cve:`2013-4249`

  1098. ----------------------------------

  1099. 

  1100. XSS via admin trusting ``URLField`` values. `Full description

  1101. <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__

  1102. 

  1103. Versions affected

  1104. ~~~~~~~~~~~~~~~~~

  1105. 

  1106. * Django 1.5 :commit:`(patch) <90363e388c61874add3f3557ee654a996ec75d78>`

  1107. 

  1108. February 19, 2013 - :cve:`2013-0306`

  1109. ------------------------------------

  1110. 

  1111. Denial-of-service via formset ``max_num`` bypass. `Full description

  1112. <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__

  1113. 

  1114. Versions affected

  1115. ~~~~~~~~~~~~~~~~~

  1116. 

  1117. * Django 1.3 :commit:`(patch) <d7094bbce8cb838f3b40f504f198c098ff1cf727>`

  1118. * Django 1.4 :commit:`(patch) <0cc350a896f70ace18280410eb616a9197d862b0>`

  1119. 

  1120. February 19, 2013 - :cve:`2013-0305`

  1121. ------------------------------------

  1122. 

  1123. Information leakage via admin history log. `Full description

  1124. <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__

  1125. 

  1126. Versions affected

  1127. ~~~~~~~~~~~~~~~~~

  1128. 

  1129. * Django 1.3 :commit:`(patch) <d3a45e10c8ac8268899999129daa27652ec0da35>`

  1130. * Django 1.4 :commit:`(patch) <0e7861aec73702f7933ce2a93056f7983939f0d6>`

  1131. 

  1132. February 19, 2013 - :cve:`2013-1664` / :cve:`2013-1665`

  1133. -------------------------------------------------------

  1134. 

  1135. Entity-based attacks against Python XML libraries. `Full description

  1136. <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__

  1137. 

  1138. Versions affected

  1139. ~~~~~~~~~~~~~~~~~

  1140. 

  1141. * Django 1.3 :commit:`(patch) <d19a27066b2247102e65412aa66917aff0091112>`

  1142. * Django 1.4 :commit:`(patch) <1c60d07ba23e0350351c278ad28d0bd5aa410b40>`

  1143. 

  1144. February 19, 2013 - No CVE

  1145. --------------------------

  1146. 

  1147. Additional hardening of ``Host`` header handling. `Full description

  1148. <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__

  1149. 

  1150. Versions affected

  1151. ~~~~~~~~~~~~~~~~~

  1152. 

  1153. * Django 1.3 :commit:`(patch) <27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`

  1154. * Django 1.4 :commit:`(patch) <9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`

  1155. 

  1156. December 10, 2012 - No CVE 2

  1157. ----------------------------

  1158. 

  1159. Additional hardening of redirect validation. `Full description

  1160. <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__

  1161. 

  1162. Versions affected

  1163. ~~~~~~~~~~~~~~~~~

  1164. 

  1165. * Django 1.3: :commit:`(patch) <1515eb46daa0897ba5ad5f0a2db8969255f1b343>`

  1166. * Django 1.4: :commit:`(patch) <b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`

  1167. 

  1168. December 10, 2012 - No CVE 1

  1169. ----------------------------

  1170. 

  1171. Additional hardening of ``Host`` header handling. `Full description

  1172. <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__

  1173. 

  1174. Versions affected

  1175. ~~~~~~~~~~~~~~~~~

  1176. 

  1177. * Django 1.3 :commit:`(patch) <2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`

  1178. * Django 1.4 :commit:`(patch) <319627c184e71ae267d6b7f000e293168c7b6e09>`

  1179. 

  1180. October 17, 2012 - :cve:`2012-4520`

  1181. -----------------------------------

  1182. 

  1183. ``Host`` header poisoning. `Full description

  1184. <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__

  1185. 

  1186. Versions affected

  1187. ~~~~~~~~~~~~~~~~~

  1188. 

  1189. * Django 1.3 :commit:`(patch) <b45c377f8f488955e0c7069cad3f3dd21910b071>`

  1190. * Django 1.4 :commit:`(patch) <92d3430f12171f16f566c9050c40feefb830a4a3>`

  1191. 

  1192. July 30, 2012 - :cve:`2012-3444`

  1193. --------------------------------

  1194. 

  1195. Denial-of-service via large image files. `Full description

  1196. <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__

  1197. 

  1198. Versions affected

  1199. ~~~~~~~~~~~~~~~~~

  1200. 

  1201. * Django 1.3 :commit:`(patch) <9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`

  1202. * Django 1.4 :commit:`(patch) <da33d67181b53fe6cc737ac1220153814a1509f6>`

  1203. 

  1204. July 30, 2012 - :cve:`2012-3443`

  1205. --------------------------------

  1206. 

  1207. Denial-of-service via compressed image files. `Full description

  1208. <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__

  1209. 

  1210. Versions affected

  1211. ~~~~~~~~~~~~~~~~~

  1212. 

  1213. * Django 1.3: :commit:`(patch) <b2eb4787a0fff9c9993b78be5c698e85108f3446>`

  1214. * Django 1.4: :commit:`(patch) <c14f325c4eef628bc7bfd8873c3a72aeb0219141>`

  1215. 

  1216. July 30, 2012 - :cve:`2012-3442`

  1217. --------------------------------

  1218. 

  1219. XSS via failure to validate redirect scheme. `Full description

  1220. <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__

  1221. 

  1222. Versions affected

  1223. ~~~~~~~~~~~~~~~~~

  1224. 

  1225. * Django 1.3: :commit:`(patch) <4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`

  1226. * Django 1.4: :commit:`(patch) <e34685034b60be1112160e76091e5aee60149fa1>`

  1227. 

  1228. September 9, 2011 - :cve:`2011-4140`

  1229. ------------------------------------

  1230. 

  1231. Potential CSRF via ``Host`` header. `Full description

  1232. <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__

  1233. 

  1234. Versions affected

  1235. ~~~~~~~~~~~~~~~~~

  1236. 

  1237. This notification was an advisory only, so no patches were issued.

  1238. 

  1239. * Django 1.2

  1240. * Django 1.3

  1241. 

  1242. September 9, 2011 - :cve:`2011-4139`

  1243. ------------------------------------

  1244. 

  1245. ``Host`` header cache poisoning. `Full description

  1246. <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__

  1247. 

  1248. Versions affected

  1249. ~~~~~~~~~~~~~~~~~

  1250. 

  1251. * Django 1.2 :commit:`(patch) <c613af4d6485586c79d692b70a9acac429f3ca9d>`

  1252. * Django 1.3 :commit:`(patch) <2f7fadc38efa58ac0a8f93f936b82332a199f396>`

  1253. 

  1254. September 9, 2011 - :cve:`2011-4138`

  1255. ------------------------------------

  1256. 

  1257. Information leakage/arbitrary request issuance via ``URLField.verify_exists``.

  1258. `Full description

  1259. <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__

  1260. 

  1261. Versions affected

  1262. ~~~~~~~~~~~~~~~~~

  1263. 

  1264. * Django 1.2: :commit:`(patch) <7268f8af86186518821d775c530d5558fd726930>`

  1265. * Django 1.3: :commit:`(patch) <1a76dbefdfc60e2d5954c0ba614c3d054ba9c3f0>`

  1266. 

  1267. September 9, 2011 - :cve:`2011-4137`

  1268. ------------------------------------

  1269. 

  1270. Denial-of-service via ``URLField.verify_exists``. `Full description

  1271. <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__

  1272. 

  1273. Versions affected

  1274. ~~~~~~~~~~~~~~~~~

  1275. 

  1276. * Django 1.2 :commit:`(patch) <7268f8af86186518821d775c530d5558fd726930>`

  1277. * Django 1.3 :commit:`(patch) <1a76dbefdfc60e2d5954c0ba614c3d054ba9c3f0>`

  1278. 

  1279. September 9, 2011 - :cve:`2011-4136`

  1280. ------------------------------------

  1281. 

  1282. Session manipulation when using memory-cache-backed session. `Full description

  1283. <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__

  1284. 

  1285. Versions affected

  1286. ~~~~~~~~~~~~~~~~~

  1287. 

  1288. * Django 1.2 :commit:`(patch) <ac7c3a110f906e4dfed3a17451bf7fd9fcb81296>`

  1289. * Django 1.3 :commit:`(patch) <fbe2eead2fa9d808658ca582241bcacb02618840>`

  1290. 

  1291. February 8, 2011 - :cve:`2011-0698`

  1292. -----------------------------------

  1293. 

  1294. Directory-traversal on Windows via incorrect path-separator handling. `Full

  1295. description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__

  1296. 

  1297. Versions affected

  1298. ~~~~~~~~~~~~~~~~~

  1299. 

  1300. * Django 1.1 :commit:`(patch) <570a32a047ea56265646217264b0d3dab1a14dbd>`

  1301. * Django 1.2 :commit:`(patch) <194566480b15cf4e294d3f03ff587019b74044b2>`

  1302. 

  1303. February 8, 2011 - :cve:`2011-0697`

  1304. -----------------------------------

  1305. 

  1306. XSS via unsanitized names of uploaded files. `Full description

  1307. <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__

  1308. 

  1309. Versions affected

  1310. ~~~~~~~~~~~~~~~~~

  1311. 

  1312. * Django 1.1 :commit:`(patch) <1966786d2dde73e17f39cf340eb33fcb5d73904e>`

  1313. * Django 1.2 :commit:`(patch) <1f814a9547842dcfabdae09573055984af9d3fab>`

  1314. 

  1315. February 8, 2011 - :cve:`2011-0696`

  1316. -----------------------------------

  1317. 

  1318. CSRF via forged HTTP headers. `Full description

  1319. <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__

  1320. 

  1321. Versions affected

  1322. ~~~~~~~~~~~~~~~~~

  1323. 

  1324. * Django 1.1 :commit:`(patch) <408c5c873ce1437c7eee9544ff279ecbad7e150a>`

  1325. * Django 1.2 :commit:`(patch) <818e70344e7193f6ebc73c82ed574e6ce3c91afc>`

  1326. 

  1327. December 22, 2010 - :cve:`2010-4535`

  1328. ------------------------------------

  1329. 

  1330. Denial-of-service in password-reset mechanism. `Full description

  1331. <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__

  1332. 

  1333. Versions affected

  1334. ~~~~~~~~~~~~~~~~~

  1335. 

  1336. * Django 1.1 :commit:`(patch) <7f8dd9cbac074389af8d8fd235bf2cb657227b9a>`

  1337. * Django 1.2 :commit:`(patch) <d5d8942a160685c403d381a279e72e09de5489a9>`

  1338. 

  1339. December 22, 2010 - :cve:`2010-4534`

  1340. ------------------------------------

  1341. 

  1342. Information leakage in administrative interface. `Full description

  1343. <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__

  1344. 

  1345. Versions affected

  1346. ~~~~~~~~~~~~~~~~~

  1347. 

  1348. * Django 1.1 :commit:`(patch) <17084839fd7e267da5729f2a27753322b9d415a0>`

  1349. * Django 1.2 :commit:`(patch) <85207a245bf09fdebe486b4c7bbcb65300f2a693>`

  1350. 

  1351. September 8, 2010 - :cve:`2010-3082`

  1352. ------------------------------------

  1353. 

  1354. XSS via trusting unsafe cookie value. `Full description

  1355. <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__

  1356. 

  1357. Versions affected

  1358. ~~~~~~~~~~~~~~~~~

  1359. 

  1360. * Django 1.2 :commit:`(patch) <7f84657b6b2243cc787bdb9f296710c8d13ad0bd>`

  1361. 

  1362. October 9, 2009 - :cve:`2009-3965`

  1363. ----------------------------------

  1364. 

  1365. Denial-of-service via pathological regular expression performance. `Full

  1366. description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__

  1367. 

  1368. Versions affected

  1369. ~~~~~~~~~~~~~~~~~

  1370. 

  1371. * Django 1.0 :commit:`(patch) <594a28a9044120bed58671dde8a805c9e0f6c79a>`

  1372. * Django 1.1 :commit:`(patch) <e3e992e18b368fcd56aabafc1b5bf80a6e11b495>`

  1373. 

  1374. July 28, 2009 - :cve:`2009-2659`

  1375. --------------------------------

  1376. 

  1377. Directory-traversal in development server media handler. `Full description

  1378. <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__

  1379. 

  1380. Versions affected

  1381. ~~~~~~~~~~~~~~~~~

  1382. 

  1383. * Django 0.96 :commit:`(patch) <da85d76fd6ca846f3b0ff414e042ddb5e62e2e69>`

  1384. * Django 1.0 :commit:`(patch) <df7f917b7f51ba969faa49d000ffc79572c5dcb4>`

  1385. 

  1386. September 2, 2008 - :cve:`2008-3909`

  1387. ------------------------------------

  1388. 

  1389. CSRF via preservation of POST data during admin login. `Full description

  1390. <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__

  1391. 

  1392. Versions affected

  1393. ~~~~~~~~~~~~~~~~~

  1394. 

  1395. * Django 0.91 :commit:`(patch) <44debfeaa4473bd28872c735dd3d9afde6886752>`

  1396. * Django 0.95 :commit:`(patch) <aee48854a164382c655acb9f18b3c06c3d238e81>`

  1397. * Django 0.96 :commit:`(patch) <7e0972bded362bc4b851c109df2c8a6548481a8e>`

  1398. 

  1399. May 14, 2008 - :cve:`2008-2302`

  1400. -------------------------------

  1401. 

  1402. XSS via admin login redirect. `Full description

  1403. <https://www.djangoproject.com/weblog/2008/may/14/security/>`__

  1404. 

  1405. Versions affected

  1406. ~~~~~~~~~~~~~~~~~

  1407. 

  1408. * Django 0.91 :commit:`(patch) <6e657e2c404a96e744748209e896d8a69c15fdf2>`

  1409. * Django 0.95 :commit:`(patch) <50ce7fb57d79e8940ccf6e2781f2f01df029b5c5>`

  1410. * Django 0.96 :commit:`(patch) <7791e5c050cebf86d868c5dab7092185b125fdc9>`

  1411. 

  1412. October 26, 2007 - :cve:`2007-5712`

  1413. -----------------------------------

  1414. 

  1415. Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full

  1416. description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__

  1417. 

  1418. Versions affected

  1419. ~~~~~~~~~~~~~~~~~

  1420. 

  1421. * Django 0.91 :commit:`(patch) <8bc36e726c9e8c75c681d3ad232df8e882aaac81>`

  1422. * Django 0.95 :commit:`(patch) <412ed22502e11c50dbfee854627594f0e7e2c234>`

  1423. * Django 0.96 :commit:`(patch) <7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`

  1424. 

  1425. Issues prior to Django's security process

  1426. =========================================

  1427. 

  1428. Some security issues were handled before Django had a formalized

  1429. security process in use. For these, new releases may not have been

  1430. issued at the time and CVEs may not have been assigned.

  1431. 

  1432. January 21, 2007 - :cve:`2007-0405`

  1433. -----------------------------------

  1434. 

  1435. Apparent "caching" of authenticated user. `Full description

  1436. <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__

  1437. 

  1438. Versions affected

  1439. ~~~~~~~~~~~~~~~~~

  1440. 

  1441. * Django 0.95 :commit:`(patch) <e89f0a65581f82a5740bfe989136cea75d09cd67>`

  1442. 

  1443. August 16, 2006 - :cve:`2007-0404`

  1444. ----------------------------------

  1445. 

  1446. Filename validation issue in translation framework. `Full description

  1447. <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__

  1448. 

  1449. Versions affected

  1450. ~~~~~~~~~~~~~~~~~

  1451. 

  1452. * Django 0.90 :commit:`(patch) <6eefa521be3c658dc0b38f8d62d52e9801e198ab>`

  1453. * Django 0.91 :commit:`(patch) <d31e39173c29537e6a1613278c93634c18a3206e>`

  1454. * Django 0.95 :commit:`(patch) <a132d411c6986418ee6c0edc331080aa792fee6e>`

  1455.   (released January 21 2007)
About Sign Up Leave Feedback Contact