PT-2014-3651 · Django Software Foundation+1 · Django+1
Collin Anderson
·
Published
2014-08-26
·
Updated
2022-05-14
·
CVE-2014-0483
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Django versions 1.4.x through 1.4.13
Django versions 1.5.x through 1.5.8
Django versions 1.6.x through 1.6.5
Django versions 1.7 before release candidate 3
Description
The administrative interface in Django does not check if a field represents a relationship between models. This allows remote authenticated users to obtain sensitive information via a
to field parameter in a popup action to an admin change form page, as demonstrated by a "/admin/auth/user/?pop=1&t=password" URI.Recommendations
For Django versions 1.4.x through 1.4.13, update to version 1.4.14 or later.
For Django versions 1.5.x through 1.5.8, update to version 1.5.9 or later.
For Django versions 1.6.x through 1.6.5, update to version 1.6.6 or later.
For Django versions 1.7 before release candidate 3, update to release candidate 3 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Django
Ubuntu