Miggo Logo

CVE-2014-0483: Django data leakage via querystring manipulation in admin

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.61638%
Published
5/14/2022
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip< 1.4.141.4.14
Djangopip>= 1.5, < 1.5.91.5.9
Djangopip>= 1.6, < 1.6.61.6.6
Djangopip>= 1.7a1, < 1.7c31.7c3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing validation of the 'to_field' parameter in admin interface handlers. The patch added 'to_field_allowed()' checks in both the changeform_view (admin form handler) and ChangeList initialization (list view handler). The original unpatched versions of these functions processed 'to_field' without verifying it was a relationship field to a registered model, allowing attackers to expose arbitrary fields via URL manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **ministr*tiv* int*r**** (*ontri*.**min) in *j*n*o ***or* *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.* ***or* r*l**s* **n*i**t* * *o*s not ****k i* * *i*l* r*pr*s*nts * r*l*tions*ip **tw**n mo**ls, w*i** *llows r*mot* *ut**nti**t** us*

Reasoning

T** vuln*r**ility st*mm** *rom missin* v*li**tion o* t** 'to_*i*l*' p*r*m*t*r in **min int*r**** **n*l*rs. T** p*t** ***** 'to_*i*l*_*llow**()' ****ks in *ot* t** ***n***orm_vi*w (**min *orm **n*l*r) *n* ***n**List initi*liz*tion (list vi*w **n*l*r).