PT-2016-6791 · Django Software Foundation+2 · Django+2

Benjamin Kunz Mejri

·

Publicado

2016-07-18

·

Atualizado

2022-05-14

·

CVE-2016-6186

CVSS v3.1

6.1

Média

VetorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Django versions 1.8.0 through 1.8.13 Django versions 1.9.0 through 1.9.7 Django versions 1.10.0 through 1.10.0rc1
Description A cross-site scripting (XSS) issue exists in the dismissChangeRelatedObjectPopup function, allowing remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. This can be exploited by injecting malicious code into the webpage.
Recommendations For Django versions 1.8.0 through 1.8.13, update to version 1.8.14 or later. For Django versions 1.9.0 through 1.9.7, update to version 1.9.8 or later. For Django versions 1.10.0 through 1.10.0rc1, update to version 1.10rc1 or later. As a temporary workaround, consider disabling the dismissChangeRelatedObjectPopup function until a patch is available.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

ALT-PU-2016-2173
CVE-2016-6186
DLA-555-1
DSA-3622-1
GHSA-C8C8-9472-W52H
MGASA-2016-0282
PYSEC-2016-2
RHSA-2016:1594
RHSA-2016:1595
RHSA-2016:1596
USN-3039-1

Produtos afetados

Alt Linux
Django
Ubuntu