GHSA-46x4-9jmv-jc8p

Source

https://github.com/advisories/GHSA-46x4-9jmv-jc8p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-46x4-9jmv-jc8p/GHSA-46x4-9jmv-jc8p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-46x4-9jmv-jc8p

Aliases

Published

2022-05-17T03:43:00Z

Modified

2024-11-28T05:40:43.356101Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Django Access Restrictions Bypass

Details

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

Database specific

{
    "nvd_published_at": "2016-02-08T19:59:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T22:43:10Z"
}

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.9

Fixed

1.9.2

Affected versions

1.*

1.9

1.9.1