All errata/sisyphus/ALT-PU-2016-2173-2
ALT-PU-2016-2173-2

Package update python-module-django in branch sisyphus

Version1.8.15-alt1
Task#171331
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (8)

CVE-2016-2512
HIGH7.4

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

Published: 2016-04-08Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xHIGH 7.4
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
References
CVE-2016-2513
LOW3.1

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Published: 2016-04-08Modified: 2025-04-12
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
References
CVE-2016-6186
MEDIUM6.1

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Published: 2016-08-05Modified: 2025-04-12
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2016-7401
HIGH7.5

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Published: 2016-10-03Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
GHSA-c8c8-9472-w52h
MEDIUM5.3

Django Cross-site scripting Vulnerability

Published: 2022-05-14Modified: 2024-09-17
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 4.0MEDIUM 5.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References
GHSA-crhm-qpjc-cm64
HIGH8.7

Django CSRF Protection Bypass

Published: 2022-05-14Modified: 2024-09-18
CVSS 3.xHIGH 8.7
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0HIGH 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References
GHSA-fp6p-5xvw-m74f
LOW2.3

Django User Enumeration Vulnerability

Published: 2022-05-17Modified: 2024-09-18
CVSS 3.xLOW 2.3
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References
GHSA-pw27-w7w4-9qc7
MEDIUM6.3

Django XSS Vulnerability

Published: 2022-05-17Modified: 2024-09-18
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSS 4.0MEDIUM 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
References