CVE-2010-4534 — Improper Input Validation in Django

CWE-264 CWE-20 — Improper Input Validation8 documents7 sources

Severity

4.0MEDIUMNVD

EPSS

0.6%

top 31.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJan 10

Latest updateJul 23

Description

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.2 — 1.2.4+1

▶NVDdjangoproject/django1.1.2+14

Patches

Patch: code.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

Improper query string handling in Django↗2018-07-23

▶

OSV

Improper query string handling in Django↗2018-07-23

▶

CVEList

CVE-2010-4534: The administrative interface in django↗2011-01-10

▶

OSV

CVE-2010-4534: The administrative interface in django↗2011-01-10

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2011-01-07

▶

Debian

CVE-2010-4534: python-django - The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2...↗2010

▶

💬Community

Bugzilla

CVE-2010-4534, CVE-2010-4535 Information leakage and DoS vulnerabilities in Django < 1.2.4 & 1.1.3↗2010-12-23

▶