CVE-2014-0483: Django data leakage via querystring manipulation in admin
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61638%
CWE
Published
5/14/2022
Updated
9/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Django | pip | < 1.4.14 | 1.4.14 |
Django | pip | >= 1.5, < 1.5.9 | 1.5.9 |
Django | pip | >= 1.6, < 1.6.6 | 1.6.6 |
Django | pip | >= 1.7a1, < 1.7c3 | 1.7c3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing validation of the 'to_field' parameter in admin interface handlers. The patch added 'to_field_allowed()' checks in both the changeform_view (admin form handler) and ChangeList initialization (list view handler). The original unpatched versions of these functions processed 'to_field' without verifying it was a relationship field to a registered model, allowing attackers to expose arbitrary fields via URL manipulation.