PT-2014-3651 · Django Software Foundation+1 · Django+1
Collin Anderson
·
Publicado
2014-08-26
·
Atualizado
2022-05-14
·
CVE-2014-0483
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Django versions 1.4.x through 1.4.13
Django versions 1.5.x through 1.5.8
Django versions 1.6.x through 1.6.5
Django versions 1.7 before release candidate 3
Description
The administrative interface in Django does not check if a field represents a relationship between models. This allows remote authenticated users to obtain sensitive information via a
to field parameter in a popup action to an admin change form page, as demonstrated by a "/admin/auth/user/?pop=1&t=password" URI.Recommendations
For Django versions 1.4.x through 1.4.13, update to version 1.4.14 or later.
For Django versions 1.5.x through 1.5.8, update to version 1.5.9 or later.
For Django versions 1.6.x through 1.6.5, update to version 1.6.6 or later.
For Django versions 1.7 before release candidate 3, update to release candidate 3 or later.
Exploit
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Django
Ubuntu