CVE-2013-0305
Django 1.3.x < 1.3.6, 1.4.x < 1.4.4, 1.5 < RC2 - Authenticated Sensitive Object History Information Exposure
Title source: llmDescription
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2013/feb/19/security/
Various Sources vendor-advisory
x_refsource_ubuntu
http://ubuntu.com/usn/usn-1757-1
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2013/dsa-2634
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0670.html
Scores
EPSS
0.0181
EPSS Percentile
75.9%
Details
CWE
CWE-200
Status
published
Products (13)
canonical/ubuntu_linux
10.04
canonical/ubuntu_linux
11.10
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
12.10
djangoproject/django
1.3 (3 CPE variants)
djangoproject/django
1.3.1
djangoproject/django
1.3.2
djangoproject/django
1.3.3
djangoproject/django
1.4 (3 CPE variants)
djangoproject/django
1.4.1
... and 3 more
Published
May 02, 2013
Tracked Since
Feb 18, 2026