ALT-PU-2016-2173-2 — python-module-django

CVE-2016-2512

HIGH7.4

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

Опубликовано: 2016-04-08Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xВЫСОКАЯ 7.4

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Ссылки

CVE-2016-2513

LOW3.1

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Опубликовано: 2016-04-08Изменено: 2025-04-12

CVSS 2.0НИЗКАЯ 2.6

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Ссылки

CVE-2016-6186

MEDIUM6.1

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Опубликовано: 2016-08-05Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xСРЕДНЯЯ 6.1

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Ссылки

CVE-2016-7401

HIGH7.5

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Опубликовано: 2016-10-03Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Ссылки

GHSA-c8c8-9472-w52h

MEDIUM5.3

Django Cross-site scripting Vulnerability

Опубликовано: 2022-05-14Изменено: 2024-09-17

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0СРЕДНЯЯ 5.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Ссылки

GHSA-crhm-qpjc-cm64

HIGH8.7

Django CSRF Protection Bypass

Опубликовано: 2022-05-14Изменено: 2024-09-18

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Ссылки

GHSA-fp6p-5xvw-m74f

LOW2.3

Django User Enumeration Vulnerability

Опубликовано: 2022-05-17Изменено: 2024-09-18

CVSS 3.xНИЗКАЯ 2.3

CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS 4.0НИЗКАЯ 2.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Ссылки

GHSA-pw27-w7w4-9qc7

MEDIUM6.3

Django XSS Vulnerability

Опубликовано: 2022-05-17Изменено: 2024-09-18

CVSS 3.xСРЕДНЯЯ 6.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSS 4.0СРЕДНЯЯ 6.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Ссылки

Обновление пакета python-module-django в ветке sisyphus

Закрытые проблемы (8)

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Django Cross-site scripting Vulnerability

Django CSRF Protection Bypass

Django User Enumeration Vulnerability

Django XSS Vulnerability