CVE-2016-2048
Django Access Restrictions Bypass
5.5
MEDIUM
CVSS 3.1
EPSS 0.14%
Description
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
How to fix CVE-2016-2048
To remediate CVE-2016-2048, upgrade the affected package to a fixed version below.
- —upgrade to 1.9.2-1 or later
- —upgrade to 1.9.2 or later
- —upgrade to 1.9.2 or later
Is CVE-2016-2048 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.9.2-1
- >= 1.9, < 1.9.2
- >= 1.9, < 1.9.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N |