CVE-2014-0483

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6	Exploit Patch
https://www.djangoproject.com/weblog/2014/aug/20/security/	Vendor Advisory
http://www.debian.org/security/2014/dsa-3010
http://secunia.com/advisories/59782
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
http://secunia.com/advisories/61281
http://secunia.com/advisories/61276

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:opensuse:opensuse:12.3:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:djangoproject:django:1.5.3:::::::*
	cpe:2.3:a:djangoproject:django:1.5.4:::::::*
	cpe:2.3:a:djangoproject:django:1.5:::::::*
	cpe:2.3:a:djangoproject:django:1.5.5:::::::*
	cpe:2.3:a:djangoproject:django:1.5.6:::::::*
	cpe:2.3:a:djangoproject:django:1.5:alpha::::::
	cpe:2.3:a:djangoproject:django:1.5:beta::::::
	cpe:2.3:a:djangoproject:django:1.5.7:::::::*
	cpe:2.3:a:djangoproject:django:1.5.8:::::::*
	cpe:2.3:a:djangoproject:django:1.5.1:::::::*
	cpe:2.3:a:djangoproject:django:1.5.2:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:djangoproject:django:1.6:beta2::::::
	cpe:2.3:a:djangoproject:django:1.6:beta3::::::
	cpe:2.3:a:djangoproject:django:1.6:beta4::::::
	cpe:2.3:a:djangoproject:django:1.6.1:::::::*
	cpe:2.3:a:djangoproject:django:1.6.2:::::::*
	cpe:2.3:a:djangoproject:django:1.6.3:::::::*
	cpe:2.3:a:djangoproject:django:1.6:-::::::
	cpe:2.3:a:djangoproject:django:1.6:beta1::::::
	cpe:2.3:a:djangoproject:django:1.6.4:::::::*
	cpe:2.3:a:djangoproject:django:1.6.5:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:djangoproject:django:1.4:::::::*
	cpe:2.3:a:djangoproject:django:1.4.4:::::::*
	cpe:2.3:a:djangoproject:django:1.4.5:::::::*
	cpe:2.3:a:djangoproject:django:1.4.1:::::::*
	cpe:2.3:a:djangoproject:django:1.4.10:::::::*
	cpe:2.3:a:djangoproject:django:1.4.6:::::::*
	cpe:2.3:a:djangoproject:django:1.4.7:::::::*
	cpe:2.3:a:djangoproject:django:1.4.11:::::::*
	cpe:2.3:a:djangoproject:django:1.4.12:::::::*
	cpe:2.3:a:djangoproject:django:1.4.8:::::::*
	cpe:2.3:a:djangoproject:django:1.4.9:::::::*
	cpe:2.3:a:djangoproject:django:1.4.2:::::::*
	cpe:2.3:a:djangoproject:django::::::::

Configuration 5 (hide)

OR	cpe:2.3:a:djangoproject:django:1.7:beta1::::::
	cpe:2.3:a:djangoproject:django:1.7:beta2::::::
	cpe:2.3:a:djangoproject:django:1.7:beta3::::::
	cpe:2.3:a:djangoproject:django:1.7:beta4::::::
	cpe:2.3:a:djangoproject:django:1.7:rc1::::::
	cpe:2.3:a:djangoproject:django:1.7:rc2::::::

Information

Published : 2014-08-26 07:55

Updated : 2018-10-30 09:27

NVD link : CVE-2014-0483

Mitre link : CVE-2014-0483

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

djangoproject

django

opensuse

opensuse

3.5 /10