Djangoblog
Monthly
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). Publicly available exploit code exists, though the vendor has not responded to disclosure attempts.
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotely to bypass authentication and gain unauthorized access. The vulnerability stems from sensitive USER/PASSWORD arguments being embedded in configuration files, allowing attackers with network access to retrieve database credentials. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipulate the oauthid parameter in the oauth/views.py form_valid function, bypassing access controls to perform unauthorized operations. The vulnerability has confirmed public exploit code available and affects all instances where OAuth functionality is enabled. This is a privilege escalation or horizontal access control bypass vulnerability accessible to any authenticated user.
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). Publicly available exploit code exists, though the vendor has not responded to disclosure attempts.
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotely to bypass authentication and gain unauthorized access. The vulnerability stems from sensitive USER/PASSWORD arguments being embedded in configuration files, allowing attackers with network access to retrieve database credentials. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipulate the oauthid parameter in the oauth/views.py form_valid function, bypassing access controls to perform unauthorized operations. The vulnerability has confirmed public exploit code available and affects all instances where OAuth functionality is enabled. This is a privilege escalation or horizontal access control bypass vulnerability accessible to any authenticated user.