The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2011-01-10T19:18:00
Updated: 2024-08-07T03:51:17.373Z
Reserved: 2010-12-09T00:00:00
Link: CVE-2010-4534
Vulnrichment
No data.
NVD
Status : Modified
Published: 2011-01-10T20:00:16.877
Modified: 2024-11-21T01:21:09.587
Link: CVE-2010-4534
Redhat
No data.