cbcvebase.
CVE-2014-0483
published 2014-08-26

CVE-2014-0483: The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check…

PriorityP414low3.5CVSS 2.0
AVNACMAuSCPINAN
EPSS
1.98%
78.1th percentile
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
debianpython-django< python-django 1.6.6-1 (bookworm)python-django 1.6.6-1 (bookworm)
djangoprojectdjango<= 1.4.13
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango
djangoprojectdjango

CVSS provenance

nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv5.8MEDIUM
vendor_ubuntu5.8MEDIUM
vendor_debian3.5LOW
vendor_redhat3.5LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.