Описание
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 1.6.6-1 |
| esm-infra-legacy/trusty | released | 1.6.1-2ubuntu0.4 |
| lucid | released | 1.1.1-2ubuntu1.13 |
| precise | released | 1.3.1-4ubuntu1.12 |
| trusty | released | 1.6.1-2ubuntu0.4 |
| trusty/esm | released | 1.6.1-2ubuntu0.4 |
| upstream | released | 1.6.6-1 |
Показывать по
EPSS
3.5 Low
CVSS2
Связанные уязвимости
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
The administrative interface (contrib.admin) in Django before 1.4.14, ...
Django data leakage via querystring manipulation in admin
EPSS
3.5 Low
CVSS2