Vulnerability Details : CVE-2013-0305
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
Vulnerability category: Information leak
Products affected by CVE-2013-0305
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4:beta:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4:alpha:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-0305
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-0305
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2013-0305
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-0305
-
http://rhn.redhat.com/errata/RHSA-2013-0670.html
RHSA-2013:0670 - Security Advisory - Red Hat Customer Portal
-
https://www.djangoproject.com/weblog/2013/feb/19/security/
Security releases issued | Weblog | DjangoPatch;Vendor Advisory
-
http://ubuntu.com/usn/usn-1757-1
USN-1757-1: Django vulnerabilities | Ubuntu security notices
-
http://www.debian.org/security/2013/dsa-2634
Debian -- Security Information -- DSA-2634-1 python-django
Jump to