CVE-2013-0305

Django 1.3.x < 1.3.6, 1.4.x < 1.4.4, 1.5 < RC2 - Authenticated Sensitive Object History Information Exposure

Title source: llm
STIX 2.1

Description

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2013/feb/19/security/
Various Sources vendor-advisory x_refsource_ubuntu
http://ubuntu.com/usn/usn-1757-1
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2634
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0670.html

Scores

EPSS 0.0181
EPSS Percentile 75.9%

Details

CWE
CWE-200
Status published
Products (13)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 11.10
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
djangoproject/django 1.3 (3 CPE variants)
djangoproject/django 1.3.1
djangoproject/django 1.3.2
djangoproject/django 1.3.3
djangoproject/django 1.4 (3 CPE variants)
djangoproject/django 1.4.1
... and 3 more
Published May 02, 2013
Tracked Since Feb 18, 2026