CVE-2016-2048

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*

History

21 Nov 2024, 02:47

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/82329 - () http://www.securityfocus.com/bid/82329 -
References () http://www.securitytracker.com/id/1034894 - () http://www.securitytracker.com/id/1034894 -
References () https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/ - () https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/ -

Information

Published : 2016-02-08 19:59

Updated : 2024-11-21 02:47


NVD link : CVE-2016-2048

Mitre link : CVE-2016-2048

CVE.ORG link : CVE-2016-2048


JSON object : View

Products Affected

djangoproject

  • django
CWE
CWE-284

Improper Access Control