3.5

CVE-2014-0483

Exploit
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpensuseOpensuse Version12.3
OpensuseOpensuse Version13.1
DjangoprojectDjango Version1.5
DjangoprojectDjango Version1.5 Updatealpha
DjangoprojectDjango Version1.5 Updatebeta
DjangoprojectDjango Version1.5.1
DjangoprojectDjango Version1.5.2
DjangoprojectDjango Version1.5.3
DjangoprojectDjango Version1.5.4
DjangoprojectDjango Version1.5.5
DjangoprojectDjango Version1.5.6
DjangoprojectDjango Version1.5.7
DjangoprojectDjango Version1.5.8
DjangoprojectDjango Version1.6 Update-
DjangoprojectDjango Version1.6 Updatebeta1
DjangoprojectDjango Version1.6 Updatebeta2
DjangoprojectDjango Version1.6 Updatebeta3
DjangoprojectDjango Version1.6 Updatebeta4
DjangoprojectDjango Version1.6.1
DjangoprojectDjango Version1.6.2
DjangoprojectDjango Version1.6.3
DjangoprojectDjango Version1.6.4
DjangoprojectDjango Version1.6.5
DjangoprojectDjango Version <= 1.4.13
DjangoprojectDjango Version1.4
DjangoprojectDjango Version1.4.1
DjangoprojectDjango Version1.4.2
DjangoprojectDjango Version1.4.4
DjangoprojectDjango Version1.4.5
DjangoprojectDjango Version1.4.6
DjangoprojectDjango Version1.4.7
DjangoprojectDjango Version1.4.8
DjangoprojectDjango Version1.4.9
DjangoprojectDjango Version1.4.10
DjangoprojectDjango Version1.4.11
DjangoprojectDjango Version1.4.12
DjangoprojectDjango Version1.7 Updatebeta1
DjangoprojectDjango Version1.7 Updatebeta2
DjangoprojectDjango Version1.7 Updatebeta3
DjangoprojectDjango Version1.7 Updatebeta4
DjangoprojectDjango Version1.7 Updaterc1
DjangoprojectDjango Version1.7 Updaterc2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.98% 0.78
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:P/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
http://secunia.com/advisories/61281
http://secunia.com/advisories/59782
http://secunia.com/advisories/61276
http://www.debian.org/security/2014/dsa-3010
https://www.djangoproject.com/weblog/2014/aug/20/security/
Vendor Advisory
https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6
Patch
Exploit