Description

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.

Remediation

References

CVE-2010-4534

Related Vulnerabilities

Play Framework Improper Restriction of XML External Entity Reference Vulnerability (CVE-2014-3630)

WordPress Plugin Duplicator-WordPress Migration Unspecified Vulnerability (1.1.34)

WordPress Plugin YouSayToo auto-publishing 'submit' Parameter Cross-Site Scripting (1.0.1)

WordPress Plugin The Guardian News Feed Cross-Site Request Forgery (0.4)

WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.30)

Severity

Medium

Classification

CVE-2010-4534 CWE-264

Tags

Missing Update Known Vulnerabilities