Archive of security issues
Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.
As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).
Some important caveats apply to this information:
- Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.
- The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.
Issues prior to Django’s security process
Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.
August 16, 2006 - CVE-2007-0404
Filename validation issue in translation framework. Full description
January 21, 2007 - CVE-2007-0405
Apparent “caching” of authenticated user. Full description
Versions affected
- Django 0.95 (patch)
Issues under Django’s security process
All other security issues have been handled under versions of Django’s security process. These are listed below.
October 26, 2007 - CVE-2007-5712
Denial-of-service via arbitrarily-large Accept-Language
header. Full
description
May 14, 2008 - CVE-2008-2302
XSS via admin login redirect. Full description
September 2, 2008 - CVE-2008-3909
CSRF via preservation of POST data during admin login. Full description
July 28, 2009 - CVE-2009-2659
Directory-traversal in development server media handler. Full description
October 9, 2009 - CVE-2009-3965
Denial-of-service via pathological regular expression performance. Full description
September 8, 2010 - CVE-2010-3082
XSS via trusting unsafe cookie value. Full description
Versions affected
- Django 1.2 (patch)
December 22, 2010 - CVE-2010-4534
Information leakage in administrative interface. Full description
December 22, 2010 - CVE-2010-4535
Denial-of-service in password-reset mechanism. Full description
February 8, 2011 - CVE-2011-0696
CSRF via forged HTTP headers. Full description
February 8, 2011 - CVE-2011-0697
XSS via unsanitized names of uploaded files. Full description
February 8, 2011 - CVE-2011-0698
Directory-traversal on Windows via incorrect path-separator handling. Full description
September 9, 2011 - CVE-2011-4136
Session manipulation when using memory-cache-backed session. Full description
September 9, 2011 - CVE-2011-4137
Denial-of-service via URLField.verify_exists
. Full description
September 9, 2011 - CVE-2011-4138
Information leakage/arbitrary request issuance via URLField.verify_exists
.
Full description
September 9, 2011 - CVE-2011-4139
Host
header cache poisoning. Full description
September 9, 2011 - CVE-2011-4140
Potential CSRF via Host
header. Full description
Versions affected
This notification was an advisory only, so no patches were issued.
- Django 1.2
- Django 1.3
July 30, 2012 - CVE-2012-3442
XSS via failure to validate redirect scheme. Full description
July 30, 2012 - CVE-2012-3443
Denial-of-service via compressed image files. Full description
July 30, 2012 - CVE-2012-3444
Denial-of-service via large image files. Full description
October 17, 2012 - CVE-2012-4520
Host
header poisoning. Full description
December 10, 2012 - No CVE 1
Additional hardening of Host
header handling. Full description
December 10, 2012 - No CVE 2
Additional hardening of redirect validation. Full description
February 19, 2013 - No CVE
Additional hardening of Host
header handling. Full description
February 19, 2013 - CVE-2013-1664 / CVE-2013-1665
Entity-based attacks against Python XML libraries. Full description
February 19, 2013 - CVE-2013-0305
Information leakage via admin history log. Full description
February 19, 2013 - CVE-2013-0306
Denial-of-service via formset max_num
bypass. Full description
August 13, 2013 - CVE-2013-4249
XSS via admin trusting URLField
values. Full description
Versions affected
- Django 1.5 (patch)
August 13, 2013 - CVE-2013-6044
Possible XSS via unvalidated URL redirect schemes. Full description
September 10, 2013 - CVE-2013-4315
Directory-traversal via ssi
template tag. Full description
September 14, 2013 - CVE-2013-1443
Denial-of-service via large passwords. Full description
Versions affected
- Django 1.4 (patch and Python compatibility fix)
- Django 1.5 (patch)
April 21, 2014 - CVE-2014-0472
Unexpected code execution using reverse()
. Full description
April 21, 2014 - CVE-2014-0473
Caching of anonymous pages could reveal CSRF token. Full description
April 21, 2014 - CVE-2014-0474
MySQL typecasting causes unexpected query results. Full description
May 18, 2014 - CVE-2014-1418
Caches may be allowed to store and serve private data. Full description
May 18, 2014 - CVE-2014-3730
Malformed URLs from user input incorrectly validated. Full description
August 20, 2014 - CVE-2014-0480
reverse()
can generate URLs pointing to other hosts. Full description
August 20, 2014 - CVE-2014-0481
File upload denial of service. Full description
August 20, 2014 - CVE-2014-0482
RemoteUserMiddleware
session hijacking. Full description
August 20, 2014 - CVE-2014-0483
Data leakage via querystring manipulation in admin. Full description
January 13, 2015 - CVE-2015-0219
WSGI header spoofing via underscore/dash conflation. Full description
January 13, 2015 - CVE-2015-0220
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
January 13, 2015 - CVE-2015-0221
Denial-of-service attack against django.views.static.serve()
. Full
description
January 13, 2015 - CVE-2015-0222
Database denial-of-service with ModelMultipleChoiceField
. Full description
March 9, 2015 - CVE-2015-2241
XSS attack via properties in ModelAdmin.readonly_fields
. Full description
March 18, 2015 - CVE-2015-2316
Denial-of-service possibility with strip_tags()
. Full description
March 18, 2015 - CVE-2015-2317
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
May 20, 2015 - CVE-2015-3982
Fixed session flushing in the cached_db backend. Full description
Versions affected
- Django 1.8 (patch)
July 8, 2015 - CVE-2015-5143
Denial-of-service possibility by filling session store. Full description
July 8, 2015 - CVE-2015-5144
Header injection possibility since validators accept newlines in input. Full description
July 8, 2015 - CVE-2015-5145
Denial-of-service possibility in URL validation. Full description
Versions affected
- Django 1.8 (patch)
August 18, 2015 - CVE-2015-5963 / CVE-2015-5964
Denial-of-service possibility in logout()
view by filling session store.
Full description
November 24, 2015 - CVE-2015-8213
Settings leak possibility in date
template filter. Full description
February 1, 2016 - CVE-2016-2048
User with “change” but not “add” permission can create objects for
ModelAdmin
’s with save_as=True
. Full description
Versions affected
- Django 1.9 (patch)
March 1, 2016 - CVE-2016-2512
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description
March 1, 2016 - CVE-2016-2513
User enumeration through timing difference on password hasher work factor upgrade. Full description
July 18, 2016 - CVE-2016-6186
XSS in admin’s add/change related popup. Full description
September 26, 2016 - CVE-2016-7401
CSRF protection bypass on a site with Google Analytics. Full description
November 1, 2016 - CVE-2016-9013
User with hardcoded password created when running tests on Oracle. Full description
November 1, 2016 - CVE-2016-9014
DNS rebinding vulnerability when DEBUG=True
. Full description
April 4, 2017 - CVE-2017-7233
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description
April 4, 2017 - CVE-2017-7234
Open redirect vulnerability in django.views.static.serve()
. Full
description
September 5, 2017 - CVE-2017-12794
Possible XSS in traceback section of technical 500 debug page. Full description
February 1, 2018 - CVE-2018-6188
Information leakage in AuthenticationForm
. Full description
March 6, 2018 - CVE-2018-7536
Denial-of-service possibility in urlize
and urlizetrunc
template
filters. Full description
March 6, 2018 - CVE-2018-7537
Denial-of-service possibility in truncatechars_html
and
truncatewords_html
template filters. Full description