Django-1.2.2.tar.gz: 30 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com[bot]]

Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (Django version)	Remediation Possible**
CVE-2022-34265	Critical	9.8	Django-1.2.2.tar.gz	Direct	3.2.14	❌
CVE-2019-19844	Critical	9.8	Django-1.2.2.tar.gz	Direct	1.11.27;2.2.9;3.0.1	❌
CVE-2014-0474	Critical	9.8	Django-1.2.2.tar.gz	Direct	1.4.11	❌
CVE-2015-5143	High	7.5	Django-1.2.2.tar.gz	Direct	1.4.21	❌
CVE-2021-44420	High	7.3	Django-1.2.2.tar.gz	Direct	Django - 2.2.25,3.1.14,3.2.10	❌
CVE-2011-0698	High	7.3	Django-1.2.2.tar.gz	Direct	1.2.5	❌
CVE-2016-6186	Medium	6.1	Django-1.2.2.tar.gz	Direct	1.8.14,1.9.8,1.10rc1	❌
CVE-2014-0472	Medium	5.6	Django-1.2.2.tar.gz	Direct	1.4.11	❌
CVE-2011-4140	Medium	5.6	Django-1.2.2.tar.gz	Direct	1.2.7	❌
CVE-2011-0696	Medium	5.6	Django-1.2.2.tar.gz	Direct	1.2.5	❌
CVE-2015-0221	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.4.18	❌
CVE-2015-0219	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.4.18	❌
CVE-2012-3444	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.3.3	❌
CVE-2012-3443	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.4.1	❌
CVE-2011-4139	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.2.7	❌
CVE-2011-4138	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.2.7	❌
CVE-2011-4137	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.2.7	❌
CVE-2010-4535	Medium	5.3	Django-1.2.2.tar.gz	Direct	1.2.4	❌
CVE-2014-0482	Medium	5.0	Django-1.2.2.tar.gz	Direct	1.4.14,1.5.9,1.6.6,1.7	❌
CVE-2014-0480	Medium	4.8	Django-1.2.2.tar.gz	Direct	1.4.14	❌
CVE-2011-4136	Medium	4.8	Django-1.2.2.tar.gz	Direct	1.2.7	❌
CVE-2010-4534	Medium	4.3	Django-1.2.2.tar.gz	Direct	1.2.4	❌
CVE-2015-5144	Low	3.7	Django-1.2.2.tar.gz	Direct	1.4.21	❌
CVE-2015-2317	Low	3.7	Django-1.2.2.tar.gz	Direct	1.4.20,1.6.11,1.7.7,1.8c1	❌
CVE-2015-0220	Low	3.7	Django-1.2.2.tar.gz	Direct	1.4.18	❌
CVE-2014-0481	Low	3.7	Django-1.2.2.tar.gz	Direct	1.4.14	❌
CVE-2012-3442	Low	3.7	Django-1.2.2.tar.gz	Direct	1.3.2	❌
CVE-2011-0697	Low	3.7	Django-1.2.2.tar.gz	Direct	1.2.5	❌
CVE-2016-2513	Low	3.1	Django-1.2.2.tar.gz	Direct	1.8.10,1.9.3	❌
CVE-2014-0483	Low	3.1	Django-1.2.2.tar.gz	Direct	1.4.14	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-34265

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Publish Date: 2022-07-04

URL: CVE-2022-34265

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

Release Date: 2022-07-04

Fix Resolution: 3.2.14

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-19844

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Publish Date: 2019-12-18

URL: CVE-2019-19844

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844

Release Date: 2019-12-18

Fix Resolution: 1.11.27;2.2.9;3.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2014-0474

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Publish Date: 2014-04-23

URL: CVE-2014-0474

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474

Release Date: 2014-04-23

Fix Resolution: 1.4.11

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2015-5143

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Publish Date: 2015-07-14

URL: CVE-2015-5143

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143

Release Date: 2015-07-14

Fix Resolution: 1.4.21

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-44420

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Publish Date: 2021-12-08

URL: CVE-2021-44420

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://docs.djangoproject.com/en/3.2/releases/security/

Release Date: 2021-12-08

Fix Resolution: Django - 2.2.25,3.1.14,3.2.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-0698

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.

Publish Date: 2011-02-14

URL: CVE-2011-0698

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0698

Release Date: 2011-02-14

Fix Resolution: 1.2.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-6186

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Publish Date: 2016-08-05

URL: CVE-2016-6186

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186

Release Date: 2016-08-05

Fix Resolution: 1.8.14,1.9.8,1.10rc1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2014-0472

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Publish Date: 2014-04-23

URL: CVE-2014-0472

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472

Release Date: 2014-04-23

Fix Resolution: 1.4.11

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-4140

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

Publish Date: 2011-10-19

URL: CVE-2011-4140

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Release Date: 2011-10-19

Fix Resolution: 1.2.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-0696

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.

Publish Date: 2011-02-14

URL: CVE-2011-0696

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2011/feb/08/security/

Release Date: 2011-02-14

Fix Resolution: 1.2.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2015-0221

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

Publish Date: 2015-01-16

URL: CVE-2015-0221

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0221

Release Date: 2015-01-16

Fix Resolution: 1.4.18

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2015-0219

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

Publish Date: 2015-01-16

URL: CVE-2015-0219

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0219

Release Date: 2015-01-16

Fix Resolution: 1.4.18

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2012-3444

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.

Publish Date: 2012-07-31

URL: CVE-2012-3444

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3444

Release Date: 2012-07-31

Fix Resolution: 1.3.3

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2012-3443

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

Publish Date: 2012-07-31

URL: CVE-2012-3443

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3443

Release Date: 2012-07-31

Fix Resolution: 1.4.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-4139

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

Publish Date: 2011-10-19

URL: CVE-2011-4139

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4139

Release Date: 2011-10-19

Fix Resolution: 1.2.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-4138

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.

Publish Date: 2011-10-19

URL: CVE-2011-4138

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4138

Release Date: 2011-10-19

Fix Resolution: 1.2.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-4137

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.

Publish Date: 2011-10-19

URL: CVE-2011-4137

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4137

Release Date: 2011-10-19

Fix Resolution: 1.2.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2010-4535

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.

Publish Date: 2011-01-10

URL: CVE-2010-4535

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4535

Release Date: 2011-01-10

Fix Resolution: 1.2.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2014-0482

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

Publish Date: 2014-08-26

URL: CVE-2014-0482

### CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2014-0480

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Publish Date: 2014-08-26

URL: CVE-2014-0480

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480

Release Date: 2014-08-26

Fix Resolution: 1.4.14

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2011-4136

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

Publish Date: 2011-10-19

URL: CVE-2011-4136

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4136

Release Date: 2011-10-19

Fix Resolution: 1.2.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2010-4534

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.

Publish Date: 2011-01-10

URL: CVE-2010-4534

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2010/dec/22/security/

Release Date: 2011-01-10

Fix Resolution: 1.2.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2015-5144

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.

Publish Date: 2015-07-14

URL: CVE-2015-5144

### CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5144

Release Date: 2015-07-14

Fix Resolution: 1.4.21

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2015-2317

### Vulnerable Library - Django-1.2.2.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/c9/11/cfdc58670b7f01ae94cd2b256c07892109fc5fffd0c5a613393891426cbe/Django-1.2.2.tar.gz

Dependency Hierarchy: - :x: **Django-1.2.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 856120c29fe07c77a524558115de5b61d5715fc3

Found in base branch: main

### Vulnerability Details

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

Publish Date: 2015-03-25

URL: CVE-2015-2317

### CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-2317

Release Date: 2015-03-25

Fix Resolution: 1.4.20,1.6.11,1.7.7,1.8c1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

[localbolt[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.