CVE-2014-0483 — Sensitive Information Exposure in Django
Severity
3.5LOWNVD
OSV5.8
EPSS
0.4%
top 37.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 26
Latest updateMay 14
Description
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
CVSS vector
AV:N/AC:M/C:P/I:N/A:NExploitability: 6.8 | Impact: 2.9
Affected Packages3 packages
Patches
🔴Vulnerability Details
5📋Vendor Advisories
3💬Community
7Bugzilla
▶
Bugzilla▶
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django: various flaws [fedora-all]↗2014-08-22
Bugzilla▶
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-6]↗2014-08-22
Bugzilla▶
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [fedora-20]↗2014-08-22
Bugzilla▶
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-7]↗2014-08-22