CVE-2014-0483
3.5
Vector
AV:N/AC:M/Au:S/C:P/I:N/A:N
Exploitability: 6.8 / Impact: 2.9
Source: NVD
Description
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
Affected (42)
Products: Opensuse: Opensuse · Djangoproject: Django
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.5.1 |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.6.1 |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 1.4.13 |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.7 beta1 |
Related CWEs
References (14)
Source: security@debian.org
Source: security@debian.org
Source: security@debian.org
Source: security@debian.org
Source: security@debian.org
Source: security@debian.org
ExploitPatch
Source: security@debian.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.