Collin Anderson

**Name of the Vulnerable Software and Affected Versions** Django versions 1.4.x through 1.4.13 Django versions 1.5.x through 1.5.8 Django versions 1.6.x through 1.6.5 Django versions 1.7 before release candidate 3 **Description** The administrative interface in Django does not check if a field represents a relationship between models. This allows remote authenticated users to obtain sensitive information via a `to field` parameter in a popup action to an admin change form page, as demonstrated by a "/admin/auth/user/?pop=1&t=password" URI. **Recommendations** For Django versions 1.4.x through 1.4.13, update to version 1.4.14 or later. For Django versions 1.5.x through 1.5.8, update to version 1.5.9 or later. For Django versions 1.6.x through 1.6.5, update to version 1.6.6 or later. For Django versions 1.7 before release candidate 3, update to release candidate 3 or later.