4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.7%
The administrative interface in django.contrib.admin in Django before
1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly
restrict use of the query string to perform certain object filtering, which
allows remote authenticated users to obtain sensitive information via a
series of requests containing regular expressions, as demonstrated by a
created_by__password__regex parameter.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 9.10 | noarch | python-django | < 1.1.1-1ubuntu1.1 | UNKNOWN |
ubuntu | 10.04 | noarch | python-django | < 1.1.1-2ubuntu1.2 | UNKNOWN |
ubuntu | 10.10 | noarch | python-django | < 1.2.3-1ubuntu0.2.10.10.1 | UNKNOWN |
ubuntu | 11.04 | noarch | python-django | < 1.2.3-1ubuntu0.2.11.04.1 | UNKNOWN |
ubuntu | 11.10 | noarch | python-django | < 1.2.3-1ubuntu0.2.11.04.1 | UNKNOWN |