python2-django

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high-level Python Web framework that encourages rapid development and clean design
Version 1.11.10-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-624 1.11.9-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django before 1.11.10 and 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered....
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...

Advisories

Date Advisory Group Severity Description
06 Apr 2017 ASA-201704-1 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-14 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-12 AVG-35 Medium cross-site request forgery