CVE-2016-2048

MEDIUM

Django <1.9.2 - Auth Bypass

Title source: llm

Description

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/82329

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1034894

[Various Sources] https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/

Scores

CVSS v3 5.5

EPSS 0.0014

EPSS Percentile 34.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

Classification

CWE

CWE-284

Status draft

Affected Products (3)

djangoproject/django

pypi/Django < 1.9.2PyPI

Timeline

Published Feb 08, 2016

Tracked Since Feb 18, 2026