feemstr / django.nv2 Goto Github PK
View Code? Open in Web Editor NEWThis project forked from netspi/django.nv
Vulnerable Django Application
License: GNU General Public License v2.0
This project forked from netspi/django.nv
Vulnerable Django Application
License: GNU General Public License v2.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
CVE | Severity | CVSS | Dependency | Type | Fixed in (bootstrap version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2019-8331 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ |
CVE-2018-20677 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.0 | ❌ |
CVE-2018-20676 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.0 | ❌ |
CVE-2018-14042 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ |
CVE-2016-10735 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ |
CVE-2018-14040 | Low | 3.7 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.0,4.1.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040
Release Date: 2018-07-13
Fix Resolution: bootstrap - 3.4.0,4.1.2
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2020-11022 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jQuery - 3.5.0 | ❌ |
CVE-2015-9251 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jQuery - 3.0.0 | ❌ |
CVE-2019-11358 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jquery - 3.4.0 | ❌ |
CVE-2020-7656 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jquery - 1.9.0 | ❌ |
CVE-2012-6708 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jQuery - v1.9.0 | ❌ |
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery.js
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | jquery-1.10.2.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2020-11022 | Medium | 6.1 | jquery-1.10.2.min.js | Direct | jQuery - 3.5.0 | ❌ |
CVE-2019-11358 | Medium | 6.1 | jquery-1.10.2.min.js | Direct | jquery - 3.4.0 | ❌ |
CVE-2015-9251 | Medium | 6.1 | jquery-1.10.2.min.js | Direct | jQuery - 3.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (Django version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-19844 | High | 9.8 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.11.27;2.2.9;3.0.1 | ✅ |
CVE-2022-34265 | High | 9.8 | Django-1.8.3-py2.py3-none-any.whl | Direct | Django - 3.2.14,4.0.6 | ✅ |
CVE-2016-9013 | High | 9.8 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.16,1.9.11,1.10.3 | ✅ |
CVE-2016-9014 | High | 8.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.16,1.9.11,1.10.3 | ✅ |
CVE-2016-7401 | High | 7.5 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.15,1.9.10 | ✅ |
CVE-2016-2512 | High | 7.4 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.10,1.9.3 | ✅ |
CVE-2021-44420 | High | 7.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | Django - 2.2.25,3.1.14,3.2.10 | ✅ |
CVE-2016-6186 | Medium | 6.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.14,1.9.8,1.10rc1 | ✅ |
CVE-2017-7234 | Medium | 6.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.10.7,1.9.13,1.8.18 | ✅ |
CVE-2017-7233 | Medium | 6.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.10.7,1.9.13,1.8.18 | ✅ |
CVE-2015-5963 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.4,1.7.10,1.4.22 | ✅ |
CVE-2015-8213 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.7 | ✅ |
CVE-2018-7536 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 2.0.3,1.11.11,1.8.19 | ✅ |
CVE-2018-7537 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 2.0.3,1.11.11,1.8.19 | ✅ |
CVE-2016-2513 | Low | 3.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.10,1.9.3 | ✅ |
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Publish Date: 2019-12-18
URL: CVE-2019-19844
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
Release Date: 2019-12-18
Fix Resolution: 1.11.27;2.2.9;3.0.1
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Publish Date: 2022-07-04
URL: CVE-2022-34265
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Release Date: 2022-07-04
Fix Resolution: Django - 3.2.14,4.0.6
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Publish Date: 2016-12-09
URL: CVE-2016-9013
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9013
Release Date: 2016-12-09
Fix Resolution: 1.8.16,1.9.11,1.10.3
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Publish Date: 2016-12-09
URL: CVE-2016-9014
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9014
Release Date: 2016-12-09
Fix Resolution: 1.8.16,1.9.11,1.10.3
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Publish Date: 2016-10-03
URL: CVE-2016-7401
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7401
Release Date: 2016-10-03
Fix Resolution: 1.8.15,1.9.10
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Publish Date: 2016-04-08
URL: CVE-2016-2512
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2512
Release Date: 2016-04-08
Fix Resolution: 1.8.10,1.9.3
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Publish Date: 2021-12-08
URL: CVE-2021-44420
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-12-08
Fix Resolution: Django - 2.2.25,3.1.14,3.2.10
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Publish Date: 2016-08-05
URL: CVE-2016-6186
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186
Release Date: 2016-08-05
Fix Resolution: 1.8.14,1.9.8,1.10rc1
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve()
view could redirect to any other domain, aka an open redirect vulnerability.
Publish Date: 2017-04-04
URL: CVE-2017-7234
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7234
Release Date: 2017-04-04
Fix Resolution: 1.10.7,1.9.13,1.8.18
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()
) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url()
to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
Publish Date: 2017-04-04
URL: CVE-2017-7233
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7233
Release Date: 2017-04-04
Fix Resolution: 1.10.7,1.9.13,1.8.18
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.
Publish Date: 2015-08-24
URL: CVE-2015-5963
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5963
Release Date: 2015-08-24
Fix Resolution: 1.8.4,1.7.10,1.4.22
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
Publish Date: 2015-12-07
URL: CVE-2015-8213
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8213
Release Date: 2015-12-07
Fix Resolution: 1.8.7
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
Publish Date: 2018-03-09
URL: CVE-2018-7536
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7536
Release Date: 2018-03-09
Fix Resolution: 2.0.3,1.11.11,1.8.19
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Publish Date: 2018-03-09
URL: CVE-2018-7537
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7537
Release Date: 2018-03-09
Fix Resolution: 2.0.3,1.11.11,1.8.19
⛑️ Automatic Remediation is available for this issue
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in base branch: master
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Publish Date: 2016-04-08
URL: CVE-2016-2513
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2513
Release Date: 2016-04-08
Fix Resolution: 1.8.10,1.9.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
CVE | Severity | CVSS | Dependency | Type | Fixed in (bootstrap version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-8331 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ |
CVE-2018-14040 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0 | ❌ |
CVE-2018-20677 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0 | ❌ |
CVE-2018-20676 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.0 | ❌ |
CVE-2018-14042 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ |
CVE-2016-10735 | Medium | 6.1 | bootstrap-3.2.0.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ |
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.js
Path to vulnerable library: /taskManager/static/taskManager/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
CVE | Severity | CVSS | Dependency | Type | Fixed in (Django version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-34265 | Critical | 9.8 | Django-1.8.3-py2.py3-none-any.whl | Direct | Django - 3.2.14,4.0.6 | ✅ |
CVE-2019-19844 | Critical | 9.8 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.11.27;2.2.9;3.0.1 | ✅ |
CVE-2016-9013 | Critical | 9.8 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.16 | ✅ |
CVE-2016-9014 | High | 8.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.16 | ✅ |
CVE-2016-7401 | High | 7.5 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.15,1.9.10 | ✅ |
CVE-2016-2512 | High | 7.4 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.10,1.9.3 | ✅ |
CVE-2021-44420 | High | 7.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | Django - 2.2.25,3.1.14,3.2.10 | ✅ |
CVE-2017-7234 | Medium | 6.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.10.7,1.9.13,1.8.18 | ✅ |
CVE-2017-7233 | Medium | 6.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.18 | ✅ |
CVE-2016-6186 | Medium | 6.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.14,1.9.8,1.10rc1 | ✅ |
CVE-2018-7537 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.19 | ✅ |
CVE-2018-7536 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.19 | ✅ |
CVE-2015-8213 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.7.x,1.7.11,1.8.7,1.9rc2 | ✅ |
CVE-2015-5963 | Medium | 5.3 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.4,1.7.10,1.4.22 | ✅ |
CVE-2016-2513 | Low | 3.1 | Django-1.8.3-py2.py3-none-any.whl | Direct | 1.8.10 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Publish Date: 2022-07-04
URL: CVE-2022-34265
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Release Date: 2022-07-04
Fix Resolution: Django - 3.2.14,4.0.6
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Publish Date: 2019-12-18
URL: CVE-2019-19844
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
Release Date: 2019-12-18
Fix Resolution: 1.11.27;2.2.9;3.0.1
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Publish Date: 2016-12-09
URL: CVE-2016-9013
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9013
Release Date: 2016-12-09
Fix Resolution: 1.8.16
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Publish Date: 2016-12-09
URL: CVE-2016-9014
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9014
Release Date: 2016-12-09
Fix Resolution: 1.8.16
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Publish Date: 2016-10-03
URL: CVE-2016-7401
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7401
Release Date: 2016-10-03
Fix Resolution: 1.8.15,1.9.10
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Publish Date: 2016-04-08
URL: CVE-2016-2512
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2512
Release Date: 2016-04-08
Fix Resolution: 1.8.10,1.9.3
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Publish Date: 2021-12-08
URL: CVE-2021-44420
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-12-08
Fix Resolution: Django - 2.2.25,3.1.14,3.2.10
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve()
view could redirect to any other domain, aka an open redirect vulnerability.
Publish Date: 2017-04-04
URL: CVE-2017-7234
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7234
Release Date: 2017-04-04
Fix Resolution: 1.10.7,1.9.13,1.8.18
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()
) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url()
to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
Publish Date: 2017-04-04
URL: CVE-2017-7233
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7233
Release Date: 2017-04-04
Fix Resolution: 1.8.18
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Publish Date: 2016-08-05
URL: CVE-2016-6186
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186
Release Date: 2016-08-05
Fix Resolution: 1.8.14,1.9.8,1.10rc1
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Publish Date: 2018-03-09
URL: CVE-2018-7537
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7537
Release Date: 2018-03-09
Fix Resolution: 1.8.19
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
Publish Date: 2018-03-09
URL: CVE-2018-7536
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7536
Release Date: 2018-03-09
Fix Resolution: 1.8.19
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
Publish Date: 2015-12-07
URL: CVE-2015-8213
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8213
Release Date: 2015-12-07
Fix Resolution: 1.7.x,1.7.11,1.8.7,1.9rc2
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.
Publish Date: 2015-08-24
URL: CVE-2015-5963
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5963
Release Date: 2015-08-24
Fix Resolution: 1.8.4,1.7.10,1.4.22
⛑️ Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/a3/e1/0f3c17b1caa559ba69513ff72e250377c268d5bd3e8ad2b22809c7e2e907/Django-1.8.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Publish Date: 2016-04-08
URL: CVE-2016-2513
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2513
Release Date: 2016-04-08
Fix Resolution: 1.8.10
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2020-7656 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jquery - 1.9.0 | ❌ |
CVE-2020-11023 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2020-11022 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jQuery - 3.5.0 | ❌ |
CVE-2019-11358 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jquery - 3.4.0 | ❌ |
CVE-2015-9251 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jQuery - 3.0.0 | ❌ |
CVE-2012-6708 | Medium | 6.1 | jquery-1.8.3.min.js | Direct | jQuery - v1.9.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js
Path to vulnerable library: /taskManager/static/taskManager/js/jquery-1.8.3.min.js
Dependency Hierarchy:
Found in HEAD commit: a77acfa6fbc21e48259a52e75772122dee2da1d3
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.