Django Access Restrictions Bypass
High severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Feb 8, 2016
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Jul 31, 2023
Last updated
Nov 18, 2024
Django 1.9.x before 1.9.2, when
ModelAdmin.save_as
is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.References