Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-6186 — Cross-site Scripting in Django

CWE-79 — Cross-site Scripting16 documents9 sources

Severity

6.1MEDIUMNVD

EPSS

13.1%

top 5.87%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Djangoproject Django Debian Linux

Timeline

PublishedAug 5

Latest updateMay 14

Description

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶PyPIdjangoproject/django1.9 — 1.9.8+2

▶NVDdjangoproject/django1.8.13+10

Also affects: Debian Linux 8.0

Patches

Patch: seclists.org ↗Patch: www.vulnerability-lab.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Django Cross-site scripting Vulnerability↗2022-05-14

▶

OSV

Django Cross-site scripting Vulnerability↗2022-05-14

▶

OSV

CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups↗2016-08-05

▶

CVEList

CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups↗2016-08-05

▶

💥Exploits & PoCs

Exploit-DB

Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting↗2016-07-20

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2016-07-19

▶

Red Hat

django: XSS in admin's add/change related popup↗2016-07-18

▶

Debian

CVE-2016-6186: python-django - Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup ...↗2016

▶

💬Community

Bugzilla

CVE-2016-6186 python-django-horizon: django: XSS in admin's add/change related popup [openstack-rdo]↗2016-07-19

▶

Bugzilla

CVE-2016-6186 django14: django: XSS in admin's add/change related popup [epel-6]↗2016-07-19

▶

Bugzilla

CVE-2016-6186 python-django15: django: XSS in admin's add/change related popup [epel-6]↗2016-07-19

▶

Bugzilla

CVE-2016-6186 python-django: django: XSS in admin's add/change related popup [epel-7]↗2016-07-19

▶

Bugzilla

CVE-2016-6186 python-django-openstack-auth: django: XSS in admin's add/change related popup [openstack-rdo]↗2016-07-19

▶