Improper access control in Django - CVE-2016-2048
Published: May 16, 2018
Vulnerability identifier: #VU12763
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-2048
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Django Software Foundation
Affected software:
Django
Django
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.
The weakness exists due to improper access restrictions. A remote attacker can bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
The weakness exists due to improper access restrictions. A remote attacker can bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
How to mitigate CVE-2016-2048
Update to version 1.9.2.