Componentpedia / Listings / django / 1.7.6

Last update: 12/06/2025

django

The Web framework for perfectionists with deadlines.

Version: 1.7.6 registry icon
Safety score
-445
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
De-risk your app now
Security Risks of Known Vulnerabilities
CVE-2016-7401
CWE-254
Threat level: HIGH | CVSS score: 7.5

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.


CVE-2015-5143
CWE-399
Threat level: HIGH | CVSS score: 7.8

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.


CVE-2025-48432
CWE-117
Threat level: MEDIUM | CVSS score: 5

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.


CVE-2015-5964
CWE-399
Threat level: MEDIUM | CVSS score: 5.0

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.


CVE-2019-19844
CWE-640
Threat level: CRITICAL | CVSS score: 9.8

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)


CVE-2015-5963
CWE-399
Threat level: MEDIUM | CVSS score: 5.0

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.


CVE-2015-5144
CWE-20
Threat level: MEDIUM | CVSS score: 4.3

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.


CVE-2015-2317
CWE-79
Threat level: MEDIUM | CVSS score: 4.3

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.


CVE-2015-2316
CWE-399
Threat level: MEDIUM | CVSS score: 5.0

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.


CVE-2021-33203
CWE-22
Threat level: MEDIUM | CVSS score: 4.9

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.


CVE-2015-8213
CWE-200
Threat level: MEDIUM | CVSS score: 5.0

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.


CVE-2016-6186
CWE-79
Threat level: MEDIUM | CVSS score: 6.1

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.


Please note that this component is affected by 18 other vulnerabilities
3 Critical  |  7 High  |  7 Medium  |  1 Low  |  3 Suggest

Latest safe major: 5.2.3 Scan your application codebase with Meterian to see all known vulnerabilities in your open source software dependencies.


Stability

Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community

Latest patch release:   1.7.11

Latest minor release:   1.11.29

Latest major release:   5.2.3

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

BSD   -   BSD License (Generic)

Is a wildcard

Not proprietary

OSI Compliant