CVE-2016-6186
Description
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-6186
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-6186.html
Vendor advisory: cve@mitre.org — https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
Vendor advisory: cve@mitre.org — https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
Vendor advisory: cve@mitre.org — https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
Vendor advisory: cve@mitre.org — http://www.vulnerability-lab.com/get_content.php?id=1869
Vendor advisory: cve@mitre.org — http://seclists.org/fulldisclosure/2016/Jul/53
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | 8.0 | affected | |
| debian | bookworm | fixed | 1:1.9.8-1 |
| debian | bullseye | fixed | 1:1.9.8-1 |
| debian | forky | fixed | 1:1.9.8-1 |
| debian | sid | fixed | 1:1.9.8-1 |
| debian | trixie | fixed | 1:1.9.8-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| djangoproject | django | {"endIncluding":"1.8.13"} | |
| djangoproject | django | 1.9 | |
| djangoproject | django | 1.9.0 | |
| djangoproject | django | 1.9.1 | |
| djangoproject | django | 1.9.2 | |
| djangoproject | django | 1.9.3 | |
| djangoproject | django | 1.9.4 | |
| djangoproject | django | 1.9.5 | |
| djangoproject | django | 1.9.6 | |
| djangoproject | django | 1.9.7 | |
| djangoproject | django | 1.10 | |
References
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- http://rhn.redhat.com/errata/RHSA-2016-1594.html
- http://rhn.redhat.com/errata/RHSA-2016-1595.html
- http://rhn.redhat.com/errata/RHSA-2016-1596.html
- http://seclists.org/fulldisclosure/2016/Jul/53
- http://www.debian.org/security/2016/dsa-3622
- http://www.securityfocus.com/archive/1/538947/100/0/threaded
- http://www.securityfocus.com/bid/92058
- http://www.securitytracker.com/id/1036338
- http://www.ubuntu.com/usn/USN-3039-1
- http://www.vulnerability-lab.com/get_content.php?id=1869
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- https://www.exploit-db.com/exploits/40129/
- https://www.suse.com/security/cve/CVE-2016-6186.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-6186
- https://github.com/django/django/commit/6fa150b2f8b601668083042324c4add534143cb1
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-2.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW
- https://web.archive.org/web/20201022155237/http://www.securityfocus.com/archive/1/538947/100/0/threaded
CWEs
CWE-79
Verify integrity in audit chain (admin only). AS-IS.