4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
47.1%
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
editing. A Django model admin displaying inline related models, where the
user has view-only permissions to a parent model but edit permissions to
the inline model, would be presented with an editing UI, allowing POST
requests, for updating the inline model. Directly editing the view-only
parent model was not possible, but the parent model’s save() method was
called, triggering potential side effects, and causing pre and post-save
signal handlers to be invoked. (To resolve this, the Django admin is
adjusted to require edit permissions on the parent model in order for
inline models to be editable.)
Author | Note |
---|---|
alexmurray | According to the upstream advisory only affects version 2.1, 2.2, 3.0 and master |
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
47.1%