Description
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Remediation
References
Related Vulnerabilities
Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-3722)
WordPress Plugin WP Mail Logging Cross-Site Scripting (1.8.2)
MediaWiki Improper Encoding or Escaping of Output Vulnerability (CVE-2020-10960)
MySQL CVE-2024-21087 Vulnerability (CVE-2024-21087)
WordPress Plugin Global Flash Galleries Cross-Site Scripting (0.13.4)