CVE-2016-6186
python-django - security update
6.1
MEDIUM
CVSS 3.1
EPSS 16.4%
Description
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
How to fix CVE-2016-6186
To remediate CVE-2016-6186, upgrade the affected package to a fixed version below.
- —upgrade to 1:1.9.8-1 or later
- —upgrade to 1.4.5-1+deb7u17 or later
- —upgrade to 1.7.7-1+deb8u5 or later
- —upgrade to 1.8.14 or later
- —upgrade to d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 or later
Is CVE-2016-6186 being exploited?
Moderate — EPSS is 16.4%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 1:1.9.8-1
- from 0, < 1.4.5-1+deb7u17
- from 0, < 1.7.7-1+deb8u5
- from 0, < 1.8.14
- from 0, < d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158, < f68e5a99164867ab0e071a936470958ed867479d | from 0, < 1.8.14, >= 1.9, < 1.9.8, >= 1.10a0, < 1.10rc1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |