Description
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Remediation
References
Related Vulnerabilities
WordPress Plugin Unconfirmed Cross-Site Scripting (1.2.3)
MySQL CVE-2016-5631 Vulnerability (CVE-2016-5631)
WordPress Plugin BuddyStream Multiple Cross-Site Scripting Vulnerabilities (2.6.2)
WordPress Plugin Ultimate Google Analytics Cross-Site Request Forgery (1.6.0)
Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-7330)