Skip to content

Django Data leakage via admin history log

Moderate severity GitHub Reviewed Published May 5, 2022 to the GitHub Advisory Database • Updated Sep 3, 2023

Package

pip django (pip)

Affected versions

>= 1.3.0, < 1.3.6
>= 1.4.0, < 1.4.4

Patched versions

1.3.6
1.4.4

Description

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

References

Published by the National Vulnerability Database May 2, 2013
Published to the GitHub Advisory Database May 5, 2022
Reviewed Aug 17, 2023
Last updated Sep 3, 2023

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2013-0305

GHSA ID

GHSA-r7w6-p47g-vj53

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.