PYSEC-2016-14

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2016-14.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2016-14

Aliases

CVE-2016-2048
GHSA-46x4-9jmv-jc8p

Published

2016-02-08T19:59:00Z

Modified

2023-11-08T03:58:23.488494Z

Summary

[none]

Details

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

References

http://www.securitytracker.com/id/1034894
https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/
http://www.securityfocus.com/bid/82329

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.9

Fixed

1.9.2

Affected versions

1.*

1.9

1.9.1