Published: 08/02/2016 Updated: 28/11/2016

CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8

CVSS v3 Base Score: 5.5 | Impact Score: 4.2 | Exploitability Score: 1.2

VMScore: 534

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Django 1.9.x prior to 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject django 1.9
djangoproject django 1.9.1

Debian Bug report logs - #813448 python-django: CVE-2016-2048 Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 2 Feb 2016 06:57:01 UTC Severity: important Tags: fi ...

Django 19x before 192, when ModelAdminsave_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission ...

CWE-284 http://www.securitytracker.com/id/1034894 https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/http://www.securityfocus.com/bid/82329 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813448 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2016-2048

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2016-2048

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect