CVE-2016-6186
published 2016-08-05CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in…
PriorityP338medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
5.54%
91.8th percentile
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1:1.9.8-1 (bookworm) | python-django 1:1.9.8-1 (bookworm) |
| djangoproject | django | <= 1.8.13 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.8.14 | 1.8.14 |
| djangoproject | django | >= 1.10a1 < 1.10rc1 | 1.10rc1 |
| djangoproject | django | >= 1.9 < 1.9.8 | 1.9.8 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Cross-site scripting Vulnerability
ghsa·2022-05-14
CVE-2016-6186 [MEDIUM] CWE-79 Django Cross-site scripting Vulnerability
Django Cross-site scripting Vulnerability
Cross-site scripting (XSS) vulnerability in the `dismissChangeRelatedObjectPopup` function in `contrib/admin/static/admin/js/admin/RelatedObjectLookups.js` in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
OSV
Django Cross-site scripting Vulnerability
osv·2022-05-14
CVE-2016-6186 [MEDIUM] Django Cross-site scripting Vulnerability
Django Cross-site scripting Vulnerability
Cross-site scripting (XSS) vulnerability in the `dismissChangeRelatedObjectPopup` function in `contrib/admin/static/admin/js/admin/RelatedObjectLookups.js` in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
OSV
CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups
osv·2016-08-05·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Ubuntu
Django vulnerability
vendor_ubuntu·2016-07-19
CVE-2016-6186 Django vulnerability
Title: Django vulnerability
Summary: A security issue was fixed in Django.
It was discovered that Django incorrectly handled the admin's add/change
related popup. A remote attacker could possibly use this issue to perform a
cross-site scripting attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: XSS in admin's add/change related popup
vendor_redhat·2016-07-18·CVSS 6.1
CVE-2016-6186 [MEDIUM] CWE-79 django: XSS in admin's add/change related popup
django: XSS in admin's add/change related popup
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related pop-up. Element.textContent is now used to prevent XSS data execution.
Package: Django (Red Hat Ceph Storage 1.3) - Will not fix
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affec
Debian
CVE-2016-6186: python-django - Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup ...
vendor_debian·2016·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186: python-django - Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup ...
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Scope: local
bookworm: resolved (fixed in 1:1.9.8-1)
bullseye: resolved (fixed in 1:1.9.8-1)
forky: resolved (fixed in 1:1.9.8-1)
sid: resolved (fixed in 1:1.9.8-1)
trixie: resolved (fixed in 1:1.9.8-1)
No detection rules found.
Bugzilla
CVE-2016-6186 python-django-horizon: django: XSS in admin's add/change related popup [openstack-rdo]
bugzilla·2016-07-19·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 python-django-horizon: django: XSS in admin's add/change related popup [openstack-rdo]
CVE-2016-6186 python-django-horizon: django: XSS in admin's add/change related popup [openstack-rdo]
This as an RDO Project security tracking bug against python-django-horizon. It was created
to ensure that one or more security vulnerabilities are fixed.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
[bug automatically created by: add-tracking-bugs]
Discussion:
This is not an issue in Horizon itself, but a Django issue. Horizon does not use the Django Admin dashboard at all
Bugzilla
CVE-2016-6186 django14: django: XSS in admin's add/change related popup [epel-6]
bugzilla·2016-07-19·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 django14: django: XSS in admin's add/change related popup [epel-6]
CVE-2016-6186 django14: django: XSS in admin's add/change related popup [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs
Bugzilla
CVE-2016-6186 python-django15: django: XSS in admin's add/change related popup [epel-6]
bugzilla·2016-07-19·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 python-django15: django: XSS in admin's add/change related popup [epel-6]
CVE-2016-6186 python-django15: django: XSS in admin's add/change related popup [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracki
Bugzilla
CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [epel-7]
bugzilla·2016-07-19·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [epel-7]
CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking
Bugzilla
CVE-2016-6186 python-django-openstack-auth: django: XSS in admin's add/change related popup [openstack-rdo]
bugzilla·2016-07-19·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 python-django-openstack-auth: django: XSS in admin's add/change related popup [openstack-rdo]
CVE-2016-6186 python-django-openstack-auth: django: XSS in admin's add/change related popup [openstack-rdo]
This as an RDO Project security tracking bug against python-django-openstack-auth. It was created
to ensure that one or more security vulnerabilities are fixed.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
[bug automatically created by: add-tracking-bugs]
Discussion:
this is a django issue, not an issue in django_openstack_auth.
Bugzilla
CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [fedora-all]
bugzilla·2016-07-19·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [fedora-all]
CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2016-6186 django: XSS in admin's add/change related popup
bugzilla·2016-07-12·CVSS 6.1
CVE-2016-6186 [MEDIUM] CVE-2016-6186 django: XSS in admin's add/change related popup
CVE-2016-6186 django: XSS in admin's add/change related popup
XSS vulnerability was found in django. Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the admin's add/change related popup. ``Element.textContent`` is now used to prevent execution of the data.
The debug view also used ``innerHTML``. Although a security issue wasn't identified there, out of an abundance of caution it's also updated to use ``textContent``.
Discussion:
Acknowledgements:
Name: the upstream Django project
---
Created Django14 tracking bugs for this issue:
Affects: epel-6 [bug 1357702]
---
Created python-django15 tracking bugs for this issue:
Affects: epel-6 [bug 1357703]
---
Created python-django tracking bugs for this issue:
Affects: fedora-all [bug 1357701]
Affects: epel-7
http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1594.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1595.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1596.htmlhttp://seclists.org/fulldisclosure/2016/Jul/53http://www.debian.org/security/2016/dsa-3622http://www.securityfocus.com/archive/1/538947/100/0/threadedhttp://www.securityfocus.com/bid/92058http://www.securitytracker.com/id/1036338http://www.ubuntu.com/usn/USN-3039-1http://www.vulnerability-lab.com/get_content.php?id=1869https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479dhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/https://www.djangoproject.com/weblog/2016/jul/18/security-releases/https://www.exploit-db.com/exploits/40129/http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1594.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1595.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1596.htmlhttp://seclists.org/fulldisclosure/2016/Jul/53http://www.debian.org/security/2016/dsa-3622http://www.securityfocus.com/archive/1/538947/100/0/threadedhttp://www.securityfocus.com/bid/92058http://www.securitytracker.com/id/1036338http://www.ubuntu.com/usn/USN-3039-1http://www.vulnerability-lab.com/get_content.php?id=1869https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479dhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/https://www.djangoproject.com/weblog/2016/jul/18/security-releases/https://www.exploit-db.com/exploits/40129/
2016-08-05
Published