Djangoblog
Monthly
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). Publicly available exploit code exists, though the vendor has not responded to disclosure attempts.
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotely to bypass authentication and gain unauthorized access. The vulnerability stems from sensitive USER/PASSWORD arguments being embedded in configuration files, allowing attackers with network access to retrieve database credentials. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipulate the oauthid parameter in the oauth/views.py form_valid function, bypassing access controls to perform unauthorized operations. The vulnerability has confirmed public exploit code available and affects all instances where OAuth functionality is enabled. This is a privilege escalation or horizontal access control bypass vulnerability accessible to any authenticated user.
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authentication. DjangoBlog versions up to 2.1.0.0 embed a fixed cryptographic key in owntracks/views.py for Amap API calls, enabling unauthorized API usage with low confidentiality, integrity, and availability impact. Publicly available exploit code exists (POC=YES). EPSS data not provided. Not listed in CISA KEV. Vendor unresponsive to disclosure.
DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.
Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangoblog/settings.py, allowing remote unauthenticated attackers to bypass authentication and encrypt/decrypt sensitive session data. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor did not respond to early disclosure notification. With a CVSS score of 5.6 and AC:H rating, practical exploitation requires moderate technical effort but affects confidentiality, integrity, and availability.
Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.
Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system commands by manipulating the Source argument in the CommandHandler function. Affected versions up to 2.1.0.0 are vulnerable. The exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure attempts. CVSS score of 6.3 reflects moderate severity with network-accessible attack vector requiring authentication.
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). Publicly available exploit code exists, though the vendor has not responded to disclosure attempts.
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotely to bypass authentication and gain unauthorized access. The vulnerability stems from sensitive USER/PASSWORD arguments being embedded in configuration files, allowing attackers with network access to retrieve database credentials. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipulate the oauthid parameter in the oauth/views.py form_valid function, bypassing access controls to perform unauthorized operations. The vulnerability has confirmed public exploit code available and affects all instances where OAuth functionality is enabled. This is a privilege escalation or horizontal access control bypass vulnerability accessible to any authenticated user.
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authentication. DjangoBlog versions up to 2.1.0.0 embed a fixed cryptographic key in owntracks/views.py for Amap API calls, enabling unauthorized API usage with low confidentiality, integrity, and availability impact. Publicly available exploit code exists (POC=YES). EPSS data not provided. Not listed in CISA KEV. Vendor unresponsive to disclosure.
DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.
Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangoblog/settings.py, allowing remote unauthenticated attackers to bypass authentication and encrypt/decrypt sensitive session data. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor did not respond to early disclosure notification. With a CVSS score of 5.6 and AC:H rating, practical exploitation requires moderate technical effort but affects confidentiality, integrity, and availability.
Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.
Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system commands by manipulating the Source argument in the CommandHandler function. Affected versions up to 2.1.0.0 are vulnerable. The exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure attempts. CVSS score of 6.3 reflects moderate severity with network-accessible attack vector requiring authentication.