应用安全 - 编程语言 | 框架 - PHP - Djiango - 漏洞 -汇总

Posted atesetenginner

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了应用安全 - 编程语言 | 框架 - PHP - Djiango - 漏洞 -汇总相关的知识,希望对你有一定的参考价值。

CVE-2007-0404

Date
August 16, 2006
类型
Filename validation issue in translation framework. Full description 影响范围

 

CVE-2007-0405

Date
January 21, 2007 

类型

Apparent “caching” of authenticated user. Full description

Issues under Django’s security process¶
All other security issues have been handled under versions of Django’s security process. These are listed below.


影响范围

 

October 26, 2007 - CVE-2007-5712

Denial-of-service via arbitrarily-large Accept-Language header. Full description

 

May 14, 2008 - CVE-2008-2302
XSS via admin login redirect. Full description

 

September 2, 2008 - CVE-2008-3909
CSRF via preservation of POST data during admin login. Full description

 

July 28, 2009 - CVE-2009-2659
Directory-traversal in development server media handler. Full description

 

October 9, 2009 - CVE-2009-3965
Denial-of-service via pathological regular expression performance. Full description

 

September 8, 2010 - CVE-2010-3082
XSS via trusting unsafe cookie value. Full description

 

December 22, 2010 - CVE-2010-4534
Information leakage in administrative interface. Full description

 

December 22, 2010 - CVE-2010-4535
Denial-of-service in password-reset mechanism. Full description

 

February 8, 2011 - CVE-2011-0696
CSRF via forged HTTP headers. Full description

 

February 8, 2011 - CVE-2011-0697
XSS via unsanitized names of uploaded files. Full description

 

February 8, 2011 - CVE-2011-0698
Directory-traversal on Windows via incorrect path-separator handling. Full description

 

September 9, 2011 - CVE-2011-4136
Session manipulation when using memory-cache-backed session. Full description

 

September 9, 2011 - CVE-2011-4137
Denial-of-service via URLField.verify_exists. Full description

 

September 9, 2011 - CVE-2011-4138
Information leakage/arbitrary request issuance via URLField.verify_exists. Full description

 

September 9, 2011 - CVE-2011-4139
Host header cache poisoning. Full description

 

September 9, 2011 - CVE-2011-4140
Potential CSRF via Host header. Full description

This notification was an advisory only, so no patches were issued.

 

July 30, 2012 - CVE-2012-3442
XSS via failure to validate redirect scheme. Full description

 

July 30, 2012 - CVE-2012-3443
Denial-of-service via compressed image files. Full description

 

July 30, 2012 - CVE-2012-3444
Denial-of-service via large image files. Full description

 

October 17, 2012 - CVE-2012-4520
Host header poisoning. Full description

 

December 10, 2012 - No CVE 1
Additional hardening of Host header handling. Full description

 

December 10, 2012 - No CVE 2
Additional hardening of redirect validation. Full description

 

February 19, 2013 - No CVE
Additional hardening of Host header handling. Full description

 

February 19, 2013 - CVE-2013-1664 / CVE-2013-1665
Entity-based attacks against Python XML libraries. Full description

 

February 19, 2013 - CVE-2013-0305
Information leakage via admin history log. Full description

 

February 19, 2013 - CVE-2013-0306
Denial-of-service via formset max_num bypass. Full description

 

August 13, 2013 - CVE-2013-4249
XSS via admin trusting URLField values. Full description

 

August 13, 2013 - CVE-2013-6044
Possible XSS via unvalidated URL redirect schemes. Full description

 

September 10, 2013 - CVE-2013-4315
Directory-traversal via ssi template tag. Full description

 

September 14, 2013 - CVE-2013-1443
Denial-of-service via large passwords. Full description

Django 1.4 (patch and Python compatibility fix)


April 21, 2014 - CVE-2014-0472
Unexpected code execution using reverse(). Full description

 

April 21, 2014 - CVE-2014-0473
Caching of anonymous pages could reveal CSRF token. Full description

 

April 21, 2014 - CVE-2014-0474
mysql typecasting causes unexpected query results. Full description

 

May 18, 2014 - CVE-2014-1418
Caches may be allowed to store and serve private data. Full description

 

May 18, 2014 - CVE-2014-3730
Malformed URLs from user input incorrectly validated. Full description

 

August 20, 2014 - CVE-2014-0480
reverse() can generate URLs pointing to other hosts. Full description

 

August 20, 2014 - CVE-2014-0481
File upload denial of service. Full description

 

August 20, 2014 - CVE-2014-0482
RemoteUserMiddleware session hijacking. Full description

 

August 20, 2014 - CVE-2014-0483
Data leakage via querystring manipulation in admin. Full description

 

January 13, 2015 - CVE-2015-0219
WSGI header spoofing via underscore/dash conflation. Full description

 

January 13, 2015 - CVE-2015-0220
Mitigated possible XSS attack via user-supplied redirect URLs. Full description

 

January 13, 2015 - CVE-2015-0221
Denial-of-service attack against django.views.static.serve(). Full description

 

January 13, 2015 - CVE-2015-0222
Database denial-of-service with ModelMultipleChoiceField. Full description

 

March 9, 2015 - CVE-2015-2241
XSS attack via properties in ModelAdmin.readonly_fields. Full description

 

March 18, 2015 - CVE-2015-2316
Denial-of-service possibility with strip_tags(). Full description

 

March 18, 2015 - CVE-2015-2317
Mitigated possible XSS attack via user-supplied redirect URLs. Full description

 

May 20, 2015 - CVE-2015-3982
Fixed session flushing in the cached_db backend. Full description

 

July 8, 2015 - CVE-2015-5143
Denial-of-service possibility by filling session store. Full description

 

July 8, 2015 - CVE-2015-5144
Header injection possibility since validators accept newlines in input. Full description


July 8, 2015 - CVE-2015-5145
Denial-of-service possibility in URL validation. Full description


August 18, 2015 - CVE-2015-5963 / CVE-2015-5964
Denial-of-service possibility in logout() view by filling session store. Full description

 

November 24, 2015 - CVE-2015-8213
Settings leak possibility in date template filter. Full description

 

February 1, 2016 - CVE-2016-2048
User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

 

March 1, 2016 - CVE-2016-2512
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description

 

March 1, 2016 - CVE-2016-2513
User enumeration through timing difference on password hasher work factor upgrade. Full description

 

July 18, 2016 - CVE-2016-6186
XSS in admin’s add/change related popup. Full description

 

September 26, 2016 - CVE-2016-7401
CSRF protection bypass on a site with Google Analytics. Full description

 

November 1, 2016 - CVE-2016-9013
User with hardcoded password created when running tests on Oracle. Full description

 

November 1, 2016 - CVE-2016-9014
DNS rebinding vulnerability when DEBUG=True. Full description

 

April 4, 2017 - CVE-2017-7233
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description

 

April 4, 2017 - CVE-2017-7234
Open redirect vulnerability in django.views.static.serve(). Full description

 

September 5, 2017 - CVE-2017-12794
Possible XSS in traceback section of technical 500 debug page. Full description

 

February 1, 2018 - CVE-2018-6188
Information leakage in AuthenticationForm. Full description

 

March 6, 2018 - CVE-2018-7536
Denial-of-service possibility in urlize and urlizetrunc template filters. Full description

 

March 6, 2018 - CVE-2018-7537
Denial-of-service possibility in truncatechars_html and truncatewords_html template filters. Full description

 

August 1, 2018 - CVE-2018-14574
Open redirect possibility in CommonMiddleware. Full description

 

October 1, 2018 - CVE-2018-16984
Password hash disclosure to “view only” admin users. Full description

 

January 4, 2019 - CVE-2019-3498
Content spoofing possibility in the default 404 page. Full description

 

February 11, 2019 - CVE-2019-6975
Memory exhaustion in django.utils.numberformat.format(). Full description

 

June 3, 2019 - CVE-2019-11358
Prototype pollution in bundled jQuery. Full description

June 3, 2019 - CVE-2019-12308
XSS via “Current URL” link generated by AdminURLFieldWidget. Full description

July 1, 2019 - CVE-2019-12781
Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description

 

August 1, 2019 - CVE-2019-14232
Denial-of-service possibility in django.utils.text.Truncator. Full description

 

August 1, 2019 - CVE-2019-14233
Denial-of-service possibility in strip_tags(). Full description

 

August 1, 2019 - CVE-2019-14234

SQL injection possibility in key and index lookups for JSONField/HStoreField. Full description


CVE-2019-14235

Date
August 1, 2019

类型
Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full description


CVE-2019-19118

Date
December 2, 2019

类型
Privilege escalation in the Django admin. Full description

影响范围

 

 CVE-2019-19844

Date
December 18, 2019

类型
Potential account hijack via password reset form. Full description 影响范围

以上是关于应用安全 - 编程语言 | 框架 - PHP - Djiango - 漏洞 -汇总的主要内容,如果未能解决你的问题,请参考以下文章

2019 年最流行的七个 PHP Web 框架

2019年最流行的七个PHP Web框架-InfoQ

[PHP] Yaf框架的简单安装使用

应用安全 - 编程语言漏洞 - PHP语言漏洞汇总

gRPC 通信框架实现存在数据泄露等安全问题

开发PHP商城要注意的一些常见安全问题