Vulnerability DatabaseCVE-2010-4534
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2010-4534
January 10, 2011
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
Affected Packages
django (PYTHON):
Affected version(s) >=1.2 <1.2.4
Fix Suggestion:
Update to version 1.2.4
django (PYTHON):
Affected version(s) >=1.0.1 <1.1.3
Fix Suggestion:
Update to version 1.1.3
Related Resources (27)
http://www.securityfocus.com/bid/45562
http://www.vupen.com/english/advisories/2011/0048
https://bugzilla.redhat.com/show_bug.cgi?id=665373
http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter
https://github.com/advisories/GHSA-fwr5-q9rx-294f
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-8.yaml
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html
http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/
http://www.djangoproject.com/weblog/2010/dec/22/security
http://www.securityfocus.com/archive/1/515446
http://www.vupen.com/english/advisories/2011/0098
http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac
http://www.openwall.com/lists/oss-security/2010/12/23/4
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html
https://nvd.nist.gov/vuln/detail/CVE-2010-4534
https://github.com/django/django/commit/85207a245bf09fdebe486b4c7bbcb65300f2a693
http://secunia.com/advisories/42913
http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/
http://www.openwall.com/lists/oss-security/2011/01/03/5
https://github.com/django/django
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html
http://secunia.com/advisories/42827
http://www.ubuntu.com/usn/USN-1040-1
https://github.com/django/django/commit/17084839fd7e267da5729f2a27753322b9d415a0
http://www.djangoproject.com/weblog/2010/dec/22/security/
http://code.djangoproject.com/changeset/15031
http://secunia.com/advisories/42715
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Improper Input Validation
CWE-20
EPSS
Base Score:
0.55