Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-6186

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Published

2016-08-05T15:59:09.503

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	debian	debian_linux	8.0	Yes
Application	djangoproject	django	≤ 1.8.13	Yes
Application	djangoproject	django	1.9	Yes
Application	djangoproject	django	1.9.0	Yes
Application	djangoproject	django	1.9.1	Yes
Application	djangoproject	django	1.9.2	Yes
Application	djangoproject	django	1.9.3	Yes
Application	djangoproject	django	1.9.4	Yes
Application	djangoproject	django	1.9.5	Yes
Application	djangoproject	django	1.9.6	Yes
Application	djangoproject	django	1.9.7	Yes
Application	djangoproject	django	1.10	Yes
Application	djangoproject	django	1.10	Yes

References

http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html VDB Entry ([email protected])
http://rhn.redhat.com/errata/RHSA-2016-1594.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2016-1595.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2016-1596.html ([email protected])
http://seclists.org/fulldisclosure/2016/Jul/53 Mailing List, Patch ([email protected])
http://www.debian.org/security/2016/dsa-3622 Third Party Advisory ([email protected])
http://www.securityfocus.com/archive/1/538947/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/92058 ([email protected])
http://www.securitytracker.com/id/1036338 VDB Entry ([email protected])
http://www.ubuntu.com/usn/USN-3039-1 Third Party Advisory ([email protected])
http://www.vulnerability-lab.com/get_content.php?id=1869 Patch, Third Party Advisory ([email protected])
https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 Patch ([email protected])
https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d Patch ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/ ([email protected])
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ Patch, Vendor Advisory ([email protected])
https://www.exploit-db.com/exploits/40129/ ([email protected])
http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1594.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1595.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-1596.html (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2016/Jul/53 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2016/dsa-3622 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/538947/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/92058 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1036338 VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-3039-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vulnerability-lab.com/get_content.php?id=1869 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/40129/ (af854a3a-2127-422b-91ae-364da2661108)