CVE-2016-2048

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

Published: Feb 8, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-2048
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
djangoproject / django	1.9.1	1.9.1.x
djangoproject / django	1.9	1.9.x

http://www.securityfocus.com/bid/82329
http://www.securitytracker.com/id/1034894
https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/

Vulnerability Database

289,697

CVE-2016-2048