CVE-2016-2048
MEDIUMDjango 1.9.x < 1.9.2 - Authenticated Access Control Bypass via ModelAdmin Save As New
Title source: llmDescription
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
References (3)
Core 3
Core References
Various Sources x_refsource_confirm
https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/82329
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1034894
Scores
CVSS v3
5.5
EPSS
0.0152
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (3)
djangoproject/django
1.9
djangoproject/django
1.9.1
pypi/Django
1.9 - 1.9.2PyPI
Published
Feb 08, 2016
Tracked Since
Feb 18, 2026