CWE
264 200
Advisory Published
Advisory Published
Updated

CVE-2014-0483: Infoleak

First published: Tue Aug 26 2014(Updated: )

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

Credit: security@debian.org security@debian.org

Affected SoftwareAffected VersionHow to fix
pip/Django>=1.7a1<1.7c3
1.7c3
pip/Django>=1.6<1.6.6
1.6.6
pip/Django>=1.5<1.5.9
1.5.9
pip/Django<1.4.14
1.4.14
SUSE Linux=12.3
SUSE Linux=13.1
Django=1.5
Django=1.5-alpha
Django=1.5-beta
Django=1.5.1
Django=1.5.2
Django=1.5.3
Django=1.5.4
Django=1.5.5
Django=1.5.6
Django=1.5.7
Django=1.5.8
Django=1.6
Django=1.6-beta1
Django=1.6-beta2
Django=1.6-beta3
Django=1.6-beta4
Django=1.6.1
Django=1.6.2
Django=1.6.3
Django=1.6.4
Django=1.6.5
Django<=1.4.13
Django=1.4
Django=1.4.1
Django=1.4.2
Django=1.4.4
Django=1.4.5
Django=1.4.6
Django=1.4.7
Django=1.4.8
Django=1.4.9
Django=1.4.10
Django=1.4.11
Django=1.4.12
Django=1.7-beta1
Django=1.7-beta2
Django=1.7-beta3
Django=1.7-beta4
Django=1.7-rc1
Django=1.7-rc2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2014-0483?

    CVE-2014-0483 has a high severity level as it allows remote authenticated users to access sensitive information through the administrative interface.

  • How do I fix CVE-2014-0483?

    To fix CVE-2014-0483, upgrade to Django versions 1.7c3 or higher, 1.6.6, 1.5.9, or 1.4.14.

  • Which versions of Django are affected by CVE-2014-0483?

    CVE-2014-0483 affects Django versions before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 earlier than release candidate 3.

  • What type of vulnerability is CVE-2014-0483?

    CVE-2014-0483 is a vulnerability in the administrative interface of Django that fails to check model relationships.

  • Can authenticated users exploit CVE-2014-0483?

    Yes, remote authenticated users can exploit CVE-2014-0483 to obtain sensitive information.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203