基础信息
项目名称:divio/django-cms
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1717181131300405248/1717181131350736896
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Matthäus G. Chajdas pygments 代码问题漏洞 | 任意文件上传 | MPS-2022-57237 | CVE-2022-40896 | 中危 |
| Django 存在拒绝服务漏洞 | 拒绝服务 | MPS-2023-2240 | CVE-2023-23969 | 中危 |
| urllib3 安全漏洞 | 未授权敏感信息泄露 | MPS-46py-nxai | CVE-2023-45803 | 中危 |
| Django uri_to_iri 方法拒绝服务漏洞 | MPS-5lqu-cve2 | CVE-2023-41164 | 中危 | |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| Certifi 数据伪造问题漏洞 | 对数据真实性的验证不充分 | MPS-ck78-r6zg | CVE-2023-37920 | 严重 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
| sqlparse 安全漏洞 | ReDoS | MPS-zs9l-yk45 | CVE-2023-30608 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 2.1.0 | 间接依赖 | 强烈建议修复 | |
| certifi | 2022.12.07 | 2023.7.22 | 间接依赖 | 建议修复 |
| urllib3 | 1.26.11 | 1.26.18 | 间接依赖 | 建议修复 |
| sqlparse | 0.4.2 | 0.4.4 | 间接依赖 | 建议修复 |
| requests | 2.28.1 | 2.31.0 | 间接依赖 | 建议修复 |
| django | 3.2.16 | 3.2.21 | 间接依赖 | 可选修复 |
| pygments | 2.13.0 | 2.15.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 25 | 低 |
| 自定义许可证 | 15 | 低 |
| BSD-2-Clause | 2 | 低 |
| Apache-2.0 | 4 | 低 |
| LGPL-3.0 | 2 | 中 |
| ISC | 1 | 低 |
| BSD-3-Clause | 7 | 低 |
| LGPL-2.1-or-later | 1 | 低 |
| GPL-2.0 | 1 | 中 |
| HPND | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| Page | 间接依赖 | pip | |
| ExpressionWrapper | 间接依赖 | pip | |
| loader | 间接依赖 | pip | |
| jinja2 | 3.1.2 | 间接依赖 | pip |
| urlparse | 间接依赖 | pip | |
| urljoin | 间接依赖 | pip | |
| create_title | 间接依赖 | pip | |
| _exists | 间接依赖 | pip | |
| datetime | 4.5 | 间接依赖 | pip |
| timedelta | 间接依赖 | pip | |
| NodeList | 间接依赖 | pip | |
| colorama | 0.4.5 | 间接依赖 | pip |
| sphinxcontrib-applehelp | 1.0.2 | 间接依赖 | pip |
| add_plugin | 间接依赖 | pip | |
| local-storage | 1.4.2 | 间接依赖 | npm |
| wheel | 0.38.1 | 间接依赖 | pip |
| coverage | 4 | 间接依赖 | pip |
| sphinx-copybutton | 0.5.0 | 间接依赖 | pip |
| urijs | 1.19.11 | 间接依赖 | npm |
| django-formtools | 2.3 | 间接依赖 | pip |
| clear_url_caches | 间接依赖 | pip | |
| prevent-parent-scroll | 0.0.6 | 间接依赖 | npm |
| babel-runtime | 6.26.0 | 间接依赖 | npm |
| Context | 间接依赖 | pip | |
| sphinxcontrib-devhelp | 1.0.2 | 间接依赖 | pip |
| Model | 间接依赖 | pip | |
| sphinxext-opengraph | 0.6.3 | 间接依赖 | pip |
| set_placeholder_cache | 间接依赖 | pip | |
| constants | 间接依赖 | pip | |
| PLUGIN_TOOLBAR_JS | 间接依赖 | pip | |
| PermissionsMixin | 间接依赖 | pip | |
| FilteredSelectMultiple | 间接依赖 | pip | |
| models | 间接依赖 | pip | |
| classytags | 间接依赖 | pip | |
| NoReverseMatch | 间接依赖 | pip | |
| pytz | 2022.2.1 | 间接依赖 | pip |
| six | 1.16.0 | 间接依赖 | pip |
| build | 0.8.0 | 间接依赖 | pip |
| sphinxcontrib-serializinghtml | 1.1.5 | 间接依赖 | pip |
| ManyToManyField | 间接依赖 | pip | |
| Resolver404 | 间接依赖 | pip | |
| DJANGO_3_0 | 间接依赖 | pip | |
| get_resolver | 间接依赖 | pip | |
| soupsieve | 2.3.2.post1 | 间接依赖 | pip |
| Group | 间接依赖 | pip | |
| Parser | 间接依赖 | pip | |
| LogEntry | 间接依赖 | pip | |
| migrations | 间接依赖 | pip | |
| HttpResponse | 间接依赖 | pip | |
| add_never_cache_headers | 间接依赖 | pip | |
| docutils | 0.19 | 间接依赖 | pip |
| idna | 3.3 | 间接依赖 | pip |
| parse_qsl | 间接依赖 | pip | |
| PermissionDenied | 间接依赖 | pip | |
| sphinx-autobuild | 2021.3.14 | 间接依赖 | pip |
| keyboardjs | 2.7.0 | 间接依赖 | npm |
| LocalePrefixPattern | 间接依赖 | pip | |
| menus | 间接依赖 | pip | |
| lodash | 4.17.21 | 间接依赖 | npm |
| FieldError | 间接依赖 | pip | |
| certifi | 2022.12.07 | 间接依赖 | pip |
| unittest-xml-reporting | 1.11.0 | 间接依赖 | pip |
| pip-tools | 6.8.0 | 间接依赖 | pip |
| import_string | 间接依赖 | pip | |
| python-coveralls | 2.5.0 | 间接依赖 | pip |
| override_settings | 间接依赖 | pip | |
| PageQuerySet | 间接依赖 | pip | |
| regenerator-runtime | 0.11.1 | 间接依赖 | npm |
| URL_CMS_PAGE | 间接依赖 | pip | |
| tornado | 6.3.2 | 间接依赖 | pip |
| cms | 间接依赖 | pip | |
| messages | 间接依赖 | pip | |
| CMSTestCase | 间接依赖 | pip | |
| get_current_site | 间接依赖 | pip | |
| RelatedFieldWidgetWrapper | 间接依赖 | pip | |
| mkdtemp | 间接依赖 | pip | |
| TemplateSyntaxError | 间接依赖 | pip | |
| sphinxcontrib-htmlhelp | 2.0.0 | 间接依赖 | pip |
| sqlparse | 0.4.2 | 间接依赖 | pip |
| Options | 间接依赖 | pip | |
| HTMLParseError | 间接依赖 | pip | |
| create_page | 间接依赖 | pip | |
| requests | 2.28.1 | 间接依赖 | pip |
| pyenchant | 3.2.2 | 间接依赖 | pip |
| Http404 | 间接依赖 | pip | |
| diff-dom | 5.0.4 | 间接依赖 | npm |
| markupsafe | 2.1.1 | 间接依赖 | pip |
| Sphinx | 4.2.0 | 间接依赖 | pip |
| skipIf | 间接依赖 | pip | |
| nprogress | 0.2.0 | 间接依赖 | npm |
| charset-normalizer | 2.1.0 | 间接依赖 | pip |
| PLACEHOLDER_TOOLBAR_JS | 间接依赖 | pip | |
| LEFT | 间接依赖 | pip | |
| Q | 间接依赖 | pip | |
| PageNodeQuerySet | 间接依赖 | pip | |
| HttpResponseBadRequest | 间接依赖 | pip | |
| django-classy-tags | 0.7.2 | 间接依赖 | pip |
| pyparsing | 3.0.9 | 间接依赖 | pip |
| sphinx | 5.1.1 | 间接依赖 | pip |
| get_app_patterns | 间接依赖 | pip | |
| RegexValidator | 间接依赖 | pip | |
| __version__ | 间接依赖 | pip | |
| AbstractBaseUser | 间接依赖 | pip | |
| WizardStep1Form | 间接依赖 | pip | |
| TemplateDoesNotExist | 间接依赖 | pip | |
| asgiref | 3.5.2 | 间接依赖 | pip |
| click | 8.1.3 | 间接依赖 | pip |
| skipUnless | 间接依赖 | pip | |
| zope-interface | 5.4.0 | 间接依赖 | pip |
| sphinxcontrib-jsmath | 1.0.1 | 间接依赖 | pip |
| Tag | 间接依赖 | pip | |
| patch_response_headers | 间接依赖 | pip | |
| Permission | 间接依赖 | pip | |
| pygments | 2.13.0 | 间接依赖 | pip |
| django-treebeard | 4.3 | 间接依赖 | pip |
| DJANGO_2_2 | 间接依赖 | pip | |
| codespell | 2.2.1 | 间接依赖 | pip |
| pep517 | 0.13.0 | 间接依赖 | pip |
| WizardStep2BaseForm | 间接依赖 | pip | |
| packaging | 21.3 | 间接依赖 | pip |
| fuzzaldrin | 2.1.0 | 间接依赖 | npm |
| clear_app_resolvers | 间接依赖 | pip | |
| urllib3 | 1.26.11 | 间接依赖 | pip |
| CommandParser | 间接依赖 | pip | |
| mock | 2.0.0 | 间接依赖 | pip |
| furo | 2022.6.21 | 间接依赖 | pip |
| Pillow | 10.0.1 | 间接依赖 | pip |
| tomli | 2.0.1 | 间接依赖 | pip |
| reverse | 间接依赖 | pip | |
| beautifulsoup4 | 4.11.1 | 间接依赖 | pip |
| livereload | 2.6.3 | 间接依赖 | pip |
| URLValidator | 间接依赖 | pip | |
| snowballstemmer | 2.2.0 | 间接依赖 | pip |
| djangocms_text_ckeditor | 间接依赖 | pip | |
| sphinx-basic-ng | 0.0.1a12 | 间接依赖 | pip |
| TestCase | 间接依赖 | pip | |
| django | 3.2.16 | 间接依赖 | pip |
| djangocms-admin-style | 1.5 | 间接依赖 | pip |
| django-sekizai | 0.7 | 间接依赖 | pip |
| get_placeholder_cache | 间接依赖 | pip | |
| CHANGE | 间接依赖 | pip | |
| CMSPlugin | 间接依赖 | pip | |
| core-js | 2.6.12 | 间接依赖 | npm |
| sphinxcontrib-qthelp | 1.0.3 | 间接依赖 | pip |
| unquote | 间接依赖 | pip | |
| AnonymousUser | 间接依赖 | pip | |
| BaseCommand | 间接依赖 | pip | |
| Template | 间接依赖 | pip | |
| imagesize | 1.4.1 | 间接依赖 | pip |
| HttpResponseNotFound | 间接依赖 | pip | |
| REFRESH_PAGE | 间接依赖 | pip | |
| alabaster | 0.7.12 | 间接依赖 | pip |
| babel | 2.10.3 | 间接依赖 | pip |
| sphinxcontrib-spelling | 7.6.0 | 间接依赖 | pip |
| autodiscover_modules | 间接依赖 | pip | |
| permissions | 间接依赖 | pip | |
| admin | 间接依赖 | pip |