[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247621

 
 

909

 
 

194512

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2016-6186Date: (C)2016-08-25   (M)2023-12-22


Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 6.1CVSS Score : 4.3
Exploit Score: 2.8Exploit Score: 8.6
Impact Score: 2.7Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: MEDIUM
Privileges Required: NONEAuthentication: NONE
User Interaction: REQUIREDConfidentiality: NONE
Scope: CHANGEDIntegrity: PARTIAL
Confidentiality: LOWAvailability: NONE
Integrity: LOW 
Availability: NONE 
  
Reference:
SECTRACK-1036338
http://www.securityfocus.com/archive/1/538947/100/0/threaded
EXPLOIT-DB-40129
BID-92058
DSA-3622
FEDORA-2016-97ca9d52a4
FEDORA-2016-b7e31a0b9a
RHSA-2016:1594
RHSA-2016:1595
RHSA-2016:1596
USN-3039-1
http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
http://www.vulnerability-lab.com/get_content.php?id=1869
https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/

CPE    6
cpe:/a:djangoproject:django:1.9.0:rc1
cpe:/a:djangoproject:django:1.9.2
cpe:/a:djangoproject:django:1.9.1
cpe:/a:djangoproject:django:1.9
...
CWE    1
CWE-79
OVAL    5
oval:org.secpod.oval:def:1800838
oval:org.secpod.oval:def:1800065
oval:org.secpod.oval:def:703211
oval:org.secpod.oval:def:51604
...

© SecPod Technologies