FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2014-0483

This CVE name corresponds to:

Entered Topic
2014-08-21 django -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2014-0483
Phase Assigned(20131219)

Description

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

References

Source Reference
CONFIRM https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6
CONFIRM https://www.djangoproject.com/weblog/2014/aug/20/security/
DEBIAN DSA-3010
SECUNIA 59782