Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.
As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).
Some important caveats apply to this information:
Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.
CVE-2007-0404: Filename validation issue in translation framework. Full description
CVE-2007-0405: Apparent “caching” of authenticated user. Full description
All other security issues have been handled under versions of Django’s security process. These are listed below.
CVE-2007-5712: Denial-of-service via arbitrarily-large Accept-Language header. Full description
CVE-2008-2302: XSS via admin login redirect. Full description
CVE-2008-3909: CSRF via preservation of POST data during admin login. Full description
CVE-2009-2659: Directory-traversal in development server media handler. Full description
CVE-2009-3965: Denial-of-service via pathological regular expression performance. Full description
CVE-2010-3082: XSS via trusting unsafe cookie value. Full description
CVE-2010-4534: Information leakage in administrative interface. Full description
CVE-2010-4535: Denial-of-service in password-reset mechanism. Full description
CVE-2011-0696: CSRF via forged HTTP headers. Full description
CVE-2011-0697: XSS via unsanitized names of uploaded files. Full description
CVE-2011-0698: Directory-traversal on Windows via incorrect path-separator handling. Full description
CVE-2011-4136: Session manipulation when using memory-cache-backed session. Full description
CVE-2011-4137: Denial-of-service via via URLField.verify_exists. Full description
CVE-2011-4138: Information leakage/arbitrary request issuance via URLField.verify_exists. Full description
CVE-2011-4139: Host header cache poisoning. Full description
CVE-2011-4140: Potential CSRF via Host header. Full description
This notification was an advisory only, so no patches were issued.
CVE-2012-3442: XSS via failure to validate redirect scheme. Full description
CVE-2012-3443: Denial-of-service via compressed image files. Full description
CVE-2012-3444: Denial-of-service via large image files. Full description
CVE-2012-4520: Host header poisoning. Full description
Additional hardening of Host header handling. Full description
Additional hardening of redirect validation. Full description
Additional hardening of Host header handling. Full description
CVE-2013-1664 and CVE-2013-1665: Entity-based attacks against Python XML libraries. Full description
CVE-2013-0305: Information leakage via admin history log. Full description
CVE-2013-0306: Denial-of-service via formset max_num bypass. Full description
CVE-2013-4249: XSS via admin trusting URLField values. Full description
CVE-2013-6044: Possible XSS via unvalidated URL redirect schemes. Full description
CVE-2013-4315 Directory-traversal via ssi template tag. Full description
CVE-2013-1443: Denial-of-service via large passwords. Full description
CVE-2014-0472: Unexpected code execution using reverse(). Full description
CVE-2014-0473: Caching of anonymous pages could reveal CSRF token. Full description
CVE-2014-0474: MySQL typecasting causes unexpected query results. Full description
CVE-2014-1418: Caches may be allowed to store and serve private data. Full description
CVE-2014-3730: Malformed URLs from user input incorrectly validated. Full description
CVE-2014-0480: reverse() can generate URLs pointing to other hosts. Full description
CVE-2014-0481: File upload denial of service. Full description
CVE-2014-0482: RemoteUserMiddleware session hijacking. Full description
CVE-2014-0483: Data leakage via querystring manipulation in admin. Full description
CVE-2015-0219: WSGI header spoofing via underscore/dash conflation. Full description
CVE-2015-0220: Mitigated possible XSS attack via user-supplied redirect URLs. Full description
CVE-2015-0221: Denial-of-service attack against django.views.static.serve(). Full description
CVE-2015-0222: Database denial-of-service with ModelMultipleChoiceField. Full description
CVE-2015-2241: XSS attack via properties in ModelAdmin.readonly_fields. Full description
CVE-2015-2316: Denial-of-service possibility with strip_tags(). Full description
CVE-2015-2317: Mitigated possible XSS attack via user-supplied redirect URLs. Full description
CVE-2015-3982: Fixed session flushing in the cached_db backend. Full description
CVE-2015-5143: Denial-of-service possibility by filling session store. Full description
CVE-2015-5144: Header injection possibility since validators accept newlines in input. Full description
CVE-2015-5145: Denial-of-service possibility in URL validation. Full description
CVE-2015-5963 and CVE-2015-5964: Denial-of-service possibility in logout() view by filling session store. Full description
CVE-2015-8213: Settings leak possibility in date template filter. Full description
Mar 31, 2016