Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Unknown
Version Removed


Group Affected Fixed Severity Status Ticket
AVG-1081 1.11.26-1 1.11.27-1 High Fixed
AVG-1014 1.11.22-1 1.11.23-1 Medium Fixed
AVG-1001 1.11.21-1 1.11.22-1 High Fixed
AVG-970 1.11.20-1 1.11.21-1 Medium Fixed
AVG-882 1.11.18-1 1.11.19-1 Medium Fixed
AVG-838 1.11.17-1 1.11.18-1 Medium Fixed
AVG-774 1.11.15-1 Medium Not affected
AVG-746 1.11.13-1 1.11.15-1 Medium Fixed
AVG-649 1.11.10-1 1.11.11-1 Medium Fixed
AVG-624 1.11.8-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2019-19844 AVG-1081 High Yes Insufficient validation
Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this...
CVE-2019-14235 AVG-1014 Medium Yes Denial of service
If passed certain inputs, django.utils.encoding.uri_to_iri() could lead to significant memory usage due to excessive recursion when re- percent encoding...
CVE-2019-14234 AVG-1014 Medium Yes Sql injection
Key and index lookups for JSONField and key lookups for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary...
CVE-2019-14233 AVG-1014 Medium Yes Denial of service
Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large...
CVE-2019-14232 AVG-1014 Medium Yes Denial of service
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate...
CVE-2019-12781 AVG-1001 High Yes Silent downgrade
An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via...
CVE-2019-12308 AVG-970 Medium Yes Cross-site scripting
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated...
CVE-2019-6975 AVG-882 Medium Yes Denial of service
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows uncontrolled memory consumption via a malicious attacker- supplied value to...
CVE-2019-3498 AVG-838 Medium Yes Content spoofing
A content spoofing issue has been found in django before 2.1.5 and 1.11.18, where an attacker could craft a malicious URL that could make spoofed content...
CVE-2018-16984 AVG-774 Medium Yes Information disclosure
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but...
CVE-2018-14574 AVG-746 Medium Yes Open redirect
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path...
CVE-2018-7537 AVG-649 Medium Yes Denial of service
If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to...
CVE-2018-7536 AVG-649 Medium Yes Denial of service
The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular...
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an...
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...


Date Advisory Group Severity Type
05 Aug 2019 ASA-201908-3 AVG-1014 Medium multiple issues
06 Jul 2019 ASA-201907-3 AVG-1001 High silent downgrade
04 Jun 2019 ASA-201906-1 AVG-970 Medium cross-site scripting
12 Feb 2019 ASA-201902-15 AVG-882 Medium denial of service
11 Jan 2019 ASA-201901-7 AVG-838 Medium content spoofing
03 Aug 2018 ASA-201808-3 AVG-746 Medium open redirect
06 Mar 2018 ASA-201803-6 AVG-649 Medium denial of service
06 Apr 2017 ASA-201704-1 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-14 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-12 AVG-35 Medium cross-site request forgery