CVE-2019-19118

Name of the Vulnerable Software and Affected Versions Django versions 2.1 through 2.1.14 Django versions 2.2 through 2.2.7

Description The issue allows unintended model editing in certain configurations. When a Django model admin displays inline related models and the user has view-only permissions to a parent model but edit permissions to the inline model, the user is presented with an editing UI. This UI allows POST requests for updating the inline model, which can trigger the parent model's save() method, even though directly editing the view-only parent model is not possible. This can cause potential side effects and invoke pre and post-save signal handlers.

Recommendations For Django versions 2.1 through 2.1.14, update to version 2.1.15 or later to resolve the issue. For Django versions 2.2 through 2.2.7, update to version 2.2.8 or later to resolve the issue.