Improper query string handling in Django
Moderate severity
GitHub Reviewed
Published
Jul 23, 2018
to the GitHub Advisory Database
•
Updated May 21, 2024
Description
Published to the GitHub Advisory Database
Jul 23, 2018
Reviewed
Jun 16, 2020
Last updated
May 21, 2024
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
References