CVE-2016-2048

EUVD-2016-0003
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
1.9
djangoprojectdjango
1.9.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bullseye (security)
2:2.2.28-1~deb11u2
fixed
jessie
not-affected
sid
3:4.2.16-1
fixed
squeeze
not-affected
trixie
3:4.2.16-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
precise
not-affected
trusty
not-affected
vivid
not-affected
wily
not-affected
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/82329
http://www.securitytracker.com/id/1034894
https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/
http://www.securityfocus.com/bid/82329
http://www.securitytracker.com/id/1034894
https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/