Vulnerability-Lookup

CVE-2016-6186 (GCVE-0-2016-6186)

Vulnerability from cvelistv5 – Published: 2016-08-05 15:00 – Updated: 2024-08-06 01:22

Summary

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Severity

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Assigner

mitre

References

17 references

URL	Tags
http://www.securitytracker.com/id/1036338	vdb-entryx_refsource_SECTRACK
http://seclists.org/fulldisclosure/2016/Jul/53	mailing-listx_refsource_FULLDISC
http://rhn.redhat.com/errata/RHSA-2016-1594.html	vendor-advisoryx_refsource_REDHAT
http://www.debian.org/security/2016/dsa-3622	vendor-advisoryx_refsource_DEBIAN
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
http://www.vulnerability-lab.com/get_content.php?…	x_refsource_MISC
http://www.securityfocus.com/archive/1/538947/100…	mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/137965/Djang…	x_refsource_MISC
http://www.ubuntu.com/usn/USN-3039-1	vendor-advisoryx_refsource_UBUNTU
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://github.com/django/django/commit/f68e5a991…	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-1596.html	vendor-advisoryx_refsource_REDHAT
https://www.djangoproject.com/weblog/2016/jul/18/…	x_refsource_CONFIRM
https://github.com/django/django/commit/d03bf6fe4…	x_refsource_CONFIRM
http://www.securityfocus.com/bid/92058	vdb-entryx_refsource_BID
http://rhn.redhat.com/errata/RHSA-2016-1595.html	vendor-advisoryx_refsource_REDHAT
https://www.exploit-db.com/exploits/40129/	exploitx_refsource_EXPLOIT-DB

Date Public

2016-07-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:22:20.927Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1036338",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036338"
          },
          {
            "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
          },
          {
            "name": "RHSA-2016:1594",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
          },
          {
            "name": "DSA-3622",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3622"
          },
          {
            "name": "FEDORA-2016-97ca9d52a4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
          },
          {
            "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
          },
          {
            "name": "USN-3039-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3039-1"
          },
          {
            "name": "FEDORA-2016-b7e31a0b9a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
          },
          {
            "name": "RHSA-2016:1596",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
          },
          {
            "name": "92058",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/92058"
          },
          {
            "name": "RHSA-2016:1595",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
          },
          {
            "name": "40129",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40129/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-07-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "1036338",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036338"
        },
        {
          "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
        },
        {
          "name": "RHSA-2016:1594",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
        },
        {
          "name": "DSA-3622",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3622"
        },
        {
          "name": "FEDORA-2016-97ca9d52a4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
        },
        {
          "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
        },
        {
          "name": "USN-3039-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3039-1"
        },
        {
          "name": "FEDORA-2016-b7e31a0b9a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
        },
        {
          "name": "RHSA-2016:1596",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
        },
        {
          "name": "92058",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/92058"
        },
        {
          "name": "RHSA-2016:1595",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
        },
        {
          "name": "40129",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40129/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-6186",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1036338",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036338"
            },
            {
              "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
            },
            {
              "name": "RHSA-2016:1594",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
            },
            {
              "name": "DSA-3622",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3622"
            },
            {
              "name": "FEDORA-2016-97ca9d52a4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
            },
            {
              "name": "http://www.vulnerability-lab.com/get_content.php?id=1869",
              "refsource": "MISC",
              "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
            },
            {
              "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
            },
            {
              "name": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
            },
            {
              "name": "USN-3039-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3039-1"
            },
            {
              "name": "FEDORA-2016-b7e31a0b9a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
            },
            {
              "name": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
            },
            {
              "name": "RHSA-2016:1596",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
            },
            {
              "name": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
            },
            {
              "name": "92058",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/92058"
            },
            {
              "name": "RHSA-2016:1595",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
            },
            {
              "name": "40129",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40129/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-6186",
    "datePublished": "2016-08-05T15:00:00.000Z",
    "dateReserved": "2016-07-08T00:00:00.000Z",
    "dateUpdated": "2024-08-06T01:22:20.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2016-6186",
      "date": "2026-06-05",
      "epss": "0.16367",
      "percentile": "0.9499"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.8.13\", \"matchCriteriaId\": \"08E370D6-9EA2-48B6-AA81-B98D982679FA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"29C40BAC-6DF3-4EA2-A65A-86462DDD8723\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"832F9FA9-5FC8-4DB6-AD39-C3D1C21C4568\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6B754401-8503-4553-853F-4F6BCD2D2FF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"019C26C7-EF1F-45BB-934E-521E2E64452E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A18691A7-E4D0-48A4-81A7-89846E991AF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C06EBD9-381E-4018-BFDC-E23EA18097B0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7D134048-B64F-45AE-B4A2-26E516CCF37B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0F39B83A-C10B-4B88-9491-2FB8B07D6EA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"64A4030E-F51F-4944-BCE7-E27CD32EC7D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.10:alpha1:*:*:*:*:*:*\", \"matchCriteriaId\": \"36ECEDD6-A60B-4DE1-881B-899641489BAD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.10:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"035DDCD9-7679-4106-BCDA-89D67195D5E8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de XSS en la funci\\u00f3n dismissChangeRelatedObjectPopup en contrib/admin/static/admin/js/admin/RelatedObjectLookups.js en Django en versiones anteriores a 1.8.14, 1.9.x en versiones anteriores a 1.9.8 y 1.10.x en versiones anteriores a 1.10rc1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\\u00e9s de vectors relacionados con el uso no seguro de Element.innerHTML.\"}]",
      "id": "CVE-2016-6186",
      "lastModified": "2024-11-21T02:55:37.857",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2016-08-05T15:59:09.503",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"VDB Entry\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1594.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1595.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1596.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://seclists.org/fulldisclosure/2016/Jul/53\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"http://www.debian.org/security/2016/dsa-3622\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/538947/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/92058\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securitytracker.com/id/1036338\", \"source\": \"cve@mitre.org\", \"tags\": [\"VDB Entry\"]}, {\"url\": \"http://www.ubuntu.com/usn/USN-3039-1\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.vulnerability-lab.com/get_content.php?id=1869\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.djangoproject.com/weblog/2016/jul/18/security-releases/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/40129/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"VDB Entry\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1594.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1595.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1596.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/fulldisclosure/2016/Jul/53\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\"]}, {\"url\": \"http://www.debian.org/security/2016/dsa-3622\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/538947/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/92058\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1036338\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"VDB Entry\"]}, {\"url\": \"http://www.ubuntu.com/usn/USN-3039-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.vulnerability-lab.com/get_content.php?id=1869\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.djangoproject.com/weblog/2016/jul/18/security-releases/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/40129/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2016-6186\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-08-05T15:59:09.503\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de XSS en la funci\u00f3n dismissChangeRelatedObjectPopup en contrib/admin/static/admin/js/admin/RelatedObjectLookups.js en Django en versiones anteriores a 1.8.14, 1.9.x en versiones anteriores a 1.9.8 y 1.10.x en versiones anteriores a 1.10rc1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectors relacionados con el uso no seguro de Element.innerHTML.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.8.13\",\"matchCriteriaId\":\"08E370D6-9EA2-48B6-AA81-B98D982679FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"29C40BAC-6DF3-4EA2-A65A-86462DDD8723\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"832F9FA9-5FC8-4DB6-AD39-C3D1C21C4568\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B754401-8503-4553-853F-4F6BCD2D2FF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"019C26C7-EF1F-45BB-934E-521E2E64452E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A18691A7-E4D0-48A4-81A7-89846E991AF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C06EBD9-381E-4018-BFDC-E23EA18097B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D134048-B64F-45AE-B4A2-26E516CCF37B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F39B83A-C10B-4B88-9491-2FB8B07D6EA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64A4030E-F51F-4944-BCE7-E27CD32EC7D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"36ECEDD6-A60B-4DE1-881B-899641489BAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"035DDCD9-7679-4106-BCDA-89D67195D5E8\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"VDB Entry\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1594.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1595.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1596.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://seclists.org/fulldisclosure/2016/Jul/53\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"http://www.debian.org/security/2016/dsa-3622\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/archive/1/538947/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/92058\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1036338\",\"source\":\"cve@mitre.org\",\"tags\":[\"VDB Entry\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-3039-1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.vulnerability-lab.com/get_content.php?id=1869\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.djangoproject.com/weblog/2016/jul/18/security-releases/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/40129/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"VDB Entry\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1594.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1595.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1596.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2016/Jul/53\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"http://www.debian.org/security/2016/dsa-3622\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/archive/1/538947/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/92058\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1036338\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"VDB Entry\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-3039-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.vulnerability-lab.com/get_content.php?id=1869\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.djangoproject.com/weblog/2016/jul/18/security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/40129/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CNVD-2016-05212

Vulnerability from cnvd - Published: 2016-07-22

Title

python-django跨站脚本漏洞

Description

Django是开源的Python Web应用开发框架。 Django错误地处理管理员的添加/更改相关的弹出窗口存在安全漏洞。远程攻击者利用该漏洞执行跨站脚本攻击。

Severity

中

Patch Name

python-django跨站脚本漏洞的补丁

Patch Description

Django是开源的Python Web应用开发框架。 Django错误地处理管理员的添加/更改相关的弹出窗口存在安全漏洞。远程攻击者利用该漏洞执行跨站脚本攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.1

Reference

https://www.auscert.org.au/render.html?it=36954

Impacted products

Name
Django Django

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "92058"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-6186"
    }
  },
  "description": "Django\u662f\u5f00\u6e90\u7684Python Web\u5e94\u7528\u5f00\u53d1\u6846\u67b6\u3002 \r\n\r\nDjango\u9519\u8bef\u5730\u5904\u7406\u7ba1\u7406\u5458\u7684\u6dfb\u52a0/\u66f4\u6539\u76f8\u5173\u7684\u5f39\u51fa\u7a97\u53e3\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002",
  "discovererName": "Django",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a                                  \r\nhttps://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-05212",
  "openTime": "2016-07-22",
  "patchDescription": "Django\u662f\u5f00\u6e90\u7684Python Web\u5e94\u7528\u5f00\u53d1\u6846\u67b6\u3002 \r\n\r\nDjango\u9519\u8bef\u5730\u5904\u7406\u7ba1\u7406\u5458\u7684\u6dfb\u52a0/\u66f4\u6539\u76f8\u5173\u7684\u5f39\u51fa\u7a97\u53e3\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "python-django\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Django Django"
  },
  "referenceLink": "https://www.auscert.org.au/render.html?it=36954",
  "serverity": "\u4e2d",
  "submitTime": "2016-07-21",
  "title": "python-django\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

FKIE_CVE-2016-6186

Vulnerability from fkie_nvd - Published: 2016-08-05 15:59 - Updated: 2026-05-06 22:30

Severity

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html	VDB Entry
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-1594.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-1595.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-1596.html
cve@mitre.org	http://seclists.org/fulldisclosure/2016/Jul/53	Mailing List, Patch
cve@mitre.org	http://www.debian.org/security/2016/dsa-3622	Third Party Advisory
cve@mitre.org	http://www.securityfocus.com/archive/1/538947/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/92058
cve@mitre.org	http://www.securitytracker.com/id/1036338	VDB Entry
cve@mitre.org	http://www.ubuntu.com/usn/USN-3039-1	Third Party Advisory
cve@mitre.org	http://www.vulnerability-lab.com/get_content.php?id=1869	Patch, Third Party Advisory
cve@mitre.org	https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158	Patch
cve@mitre.org	https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d	Patch
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
cve@mitre.org	https://www.djangoproject.com/weblog/2016/jul/18/security-releases/	Patch, Vendor Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/40129/
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html	VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-1594.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-1595.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-1596.html
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2016/Jul/53	Mailing List, Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2016/dsa-3622	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/538947/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/92058
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1036338	VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-3039-1	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vulnerability-lab.com/get_content.php?id=1869	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d	Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
af854a3a-2127-422b-91ae-364da2661108	https://www.djangoproject.com/weblog/2016/jul/18/security-releases/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/40129/

Impacted products

Vendor	Product	Version
debian	debian_linux	8.0
djangoproject	django	*
djangoproject	django	1.9
djangoproject	django	1.9.0
djangoproject	django	1.9.1
djangoproject	django	1.9.2
djangoproject	django	1.9.3
djangoproject	django	1.9.4
djangoproject	django	1.9.5
djangoproject	django	1.9.6
djangoproject	django	1.9.7
djangoproject	django	1.10
djangoproject	django	1.10

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08E370D6-9EA2-48B6-AA81-B98D982679FA",
              "versionEndIncluding": "1.8.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "29C40BAC-6DF3-4EA2-A65A-86462DDD8723",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "832F9FA9-5FC8-4DB6-AD39-C3D1C21C4568",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B754401-8503-4553-853F-4F6BCD2D2FF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "019C26C7-EF1F-45BB-934E-521E2E64452E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "A18691A7-E4D0-48A4-81A7-89846E991AF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C06EBD9-381E-4018-BFDC-E23EA18097B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D134048-B64F-45AE-B4A2-26E516CCF37B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F39B83A-C10B-4B88-9491-2FB8B07D6EA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "64A4030E-F51F-4944-BCE7-E27CD32EC7D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.10:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "36ECEDD6-A60B-4DE1-881B-899641489BAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.10:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "035DDCD9-7679-4106-BCDA-89D67195D5E8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de XSS en la funci\u00f3n dismissChangeRelatedObjectPopup en contrib/admin/static/admin/js/admin/RelatedObjectLookups.js en Django en versiones anteriores a 1.8.14, 1.9.x en versiones anteriores a 1.9.8 y 1.10.x en versiones anteriores a 1.10rc1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectors relacionados con el uso no seguro de Element.innerHTML."
    }
  ],
  "id": "CVE-2016-6186",
  "lastModified": "2026-05-06T22:30:45.220",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-08-05T15:59:09.503",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Patch"
      ],
      "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2016/dsa-3622"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/92058"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1036338"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.ubuntu.com/usn/USN-3039-1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.exploit-db.com/exploits/40129/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch"
      ],
      "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2016/dsa-3622"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/92058"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1036338"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.ubuntu.com/usn/USN-3039-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/40129/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-C8C8-9472-W52H

Vulnerability from github – Published: 2022-05-14 02:46 – Updated: 2024-09-17 15:13

Summary

Django Cross-site scripting Vulnerability

Details

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Severity

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9"
            },
            {
              "fixed": "1.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10a1"
            },
            {
              "fixed": "1.10rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-6186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T18:31:52Z",
    "nvd_published_at": "2016-08-05T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in the `dismissChangeRelatedObjectPopup` function in `contrib/admin/static/admin/js/admin/RelatedObjectLookups.js` in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
  "id": "GHSA-c8c8-9472-w52h",
  "modified": "2024-09-17T15:13:11Z",
  "published": "2022-05-14T02:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/6fa150b2f8b601668083042324c4add534143cb1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-2.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201022155237/http://www.securityfocus.com/archive/1/538947/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210123154652/http://www.securityfocus.com/bid/92058"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20211204042848/http://www.securitytracker.com/id/1036338"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40129"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3622"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3039-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django Cross-site scripting Vulnerability"
}

GSD-2016-6186

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-6186

Aliases

CVE-2016-6186

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-6186",
    "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
    "id": "GSD-2016-6186",
    "references": [
      "https://www.suse.com/security/cve/CVE-2016-6186.html",
      "https://www.debian.org/security/2016/dsa-3622",
      "https://access.redhat.com/errata/RHSA-2016:1596",
      "https://access.redhat.com/errata/RHSA-2016:1595",
      "https://access.redhat.com/errata/RHSA-2016:1594",
      "https://ubuntu.com/security/CVE-2016-6186",
      "https://advisories.mageia.org/CVE-2016-6186.html",
      "https://packetstormsecurity.com/files/cve/CVE-2016-6186"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-6186"
      ],
      "details": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
      "id": "GSD-2016-6186",
      "modified": "2023-12-13T01:21:23.873019Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2016-6186",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1036338",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1036338"
          },
          {
            "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
          },
          {
            "name": "RHSA-2016:1594",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
          },
          {
            "name": "DSA-3622",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2016/dsa-3622"
          },
          {
            "name": "FEDORA-2016-97ca9d52a4",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
          },
          {
            "name": "http://www.vulnerability-lab.com/get_content.php?id=1869",
            "refsource": "MISC",
            "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
          },
          {
            "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
          },
          {
            "name": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
          },
          {
            "name": "USN-3039-1",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-3039-1"
          },
          {
            "name": "FEDORA-2016-b7e31a0b9a",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
          },
          {
            "name": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d",
            "refsource": "CONFIRM",
            "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
          },
          {
            "name": "RHSA-2016:1596",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
          },
          {
            "name": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/",
            "refsource": "CONFIRM",
            "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
          },
          {
            "name": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158",
            "refsource": "CONFIRM",
            "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
          },
          {
            "name": "92058",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/92058"
          },
          {
            "name": "RHSA-2016:1595",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
          },
          {
            "name": "40129",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/40129/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.8.14||\u003e=1.9.0alpha,\u003c1.9.8||\u003e=1.10.0alpha,\u003c1.10rc1",
          "affected_versions": "All versions before 1.8.14, all versions starting from 1.9.0alpha before 1.9.8, all versions starting from 1.10.0alpha before 1.10rc1",
          "credit": "Vulnerability Laboratory, Paulo Alvarado",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2018-10-09",
          "description": "Unsafe usage of JavaScript\u0027s `Element.innerHTML` could result in XSS in the admin\u0027s add/change related popup. The debug view also used `innerHTML`.",
          "fixed_versions": [
            "1.10rc1",
            "1.8.14",
            "1.9.8"
          ],
          "identifier": "CVE-2016-6186",
          "identifiers": [
            "CVE-2016-6186"
          ],
          "not_impacted": "All versions starting from 1.8.14 before 1.9.0alpha, all versions starting from 1.9.8 before 1.10.0alpha, all versions starting from 1.10rc1",
          "package_slug": "pypi/Django",
          "pubdate": "2016-08-05",
          "solution": "Upgrade to versions 1.10rc1, 1.8.14, 1.9.8 or above.",
          "title": "XSS in admin\u0027s add/change related popup",
          "urls": [
            "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
          ],
          "uuid": "15c5aa45-118e-479d-a7af-5d1baab6aec9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.8.13",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.10:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.10:alpha1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-6186"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html",
              "refsource": "MISC",
              "tags": [
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
            },
            {
              "name": "http://www.vulnerability-lab.com/get_content.php?id=1869",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
            },
            {
              "name": "1036338",
              "refsource": "SECTRACK",
              "tags": [
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1036338"
            },
            {
              "name": "USN-3039-1",
              "refsource": "UBUNTU",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.ubuntu.com/usn/USN-3039-1"
            },
            {
              "name": "DSA-3622",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.debian.org/security/2016/dsa-3622"
            },
            {
              "name": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
            },
            {
              "name": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
            },
            {
              "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Patch"
              ],
              "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
            },
            {
              "name": "92058",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/92058"
            },
            {
              "name": "RHSA-2016:1596",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
            },
            {
              "name": "RHSA-2016:1595",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
            },
            {
              "name": "40129",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/40129/"
            },
            {
              "name": "FEDORA-2016-b7e31a0b9a",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
            },
            {
              "name": "RHSA-2016:1594",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
            },
            {
              "name": "FEDORA-2016-97ca9d52a4",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
            },
            {
              "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2018-10-09T20:00Z",
      "publishedDate": "2016-08-05T15:59Z"
    }
  }
}

PYSEC-2016-2

Vulnerability from pysec - Published: 2016-08-05 15:59 - Updated: 2021-09-01 08:35

Details

Impacted products

Name	purl
django	pkg:pypi/django

Aliases

CVE-2016-6186

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django",
        "purl": "pkg:pypi/django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
            },
            {
              "fixed": "f68e5a99164867ab0e071a936470958ed867479d"
            }
          ],
          "repo": "https://github.com/django/django",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.14"
            },
            {
              "introduced": "1.9"
            },
            {
              "fixed": "1.9.8"
            },
            {
              "introduced": "1.10a0"
            },
            {
              "fixed": "1.10rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.1",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.7",
        "1.3",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4",
        "1.4.1",
        "1.4.10",
        "1.4.11",
        "1.4.12",
        "1.4.13",
        "1.4.14",
        "1.4.15",
        "1.4.16",
        "1.4.17",
        "1.4.18",
        "1.4.19",
        "1.4.2",
        "1.4.20",
        "1.4.21",
        "1.4.22",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5",
        "1.5.1",
        "1.5.10",
        "1.5.11",
        "1.5.12",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "1.5.7",
        "1.5.8",
        "1.5.9",
        "1.6",
        "1.6.1",
        "1.6.10",
        "1.6.11",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7",
        "1.7.1",
        "1.7.10",
        "1.7.11",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "1.7.8",
        "1.7.9",
        "1.8",
        "1.8.1",
        "1.8.10",
        "1.8.11",
        "1.8.12",
        "1.8.13",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.8.5",
        "1.8.6",
        "1.8.7",
        "1.8.8",
        "1.8.9",
        "1.8a1",
        "1.8b1",
        "1.8b2",
        "1.8c1",
        "1.9",
        "1.9.1",
        "1.9.2",
        "1.9.3",
        "1.9.4",
        "1.9.5",
        "1.9.6",
        "1.9.7",
        "1.10a1",
        "1.10b1"
      ]
    }
  ],
  "aliases": [
    "CVE-2016-6186"
  ],
  "details": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
  "id": "PYSEC-2016-2",
  "modified": "2021-09-01T08:35:44.164135Z",
  "published": "2016-08-05T15:59:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036338"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-3039-1"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.debian.org/security/2016/dsa-3622"
    },
    {
      "type": "FIX",
      "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
    },
    {
      "type": "FIX",
      "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92058"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40129/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
    }
  ]
}

RHSA-2016:1594

Vulnerability from csaf_redhat - Published: 2016-08-10 23:44 - Updated: 2025-11-21 17:57

Summary

Red Hat Security Advisory: python-django security update

Severity

Moderate

Notes

Topic: An update for python-django is now available for Red Hat OpenStack Platform 8.0 Operational Tools for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. Security Fix(es): * A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related popup. Element.textContent is now used to prevent XSS data execution. (CVE-2016-6186) Red Hat would like to thank the upstream Django project for reporting this issue.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2016-6186

A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related pop-up. Element.textContent is now used to prevent XSS data execution.

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: 7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2016:1594	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2016-6186	self
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://www.cve.org/CVERecord?id=CVE-2016-6186	external
https://nvd.nist.gov/vuln/detail/CVE-2016-6186	external

Acknowledgments

the upstream Django project

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-django is now available for Red Hat OpenStack Platform 8.0 Operational Tools for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related popup. Element.textContent is now used to prevent XSS data execution. (CVE-2016-6186)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1594",
        "url": "https://access.redhat.com/errata/RHSA-2016:1594"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1355663",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1594.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:57:04+00:00",
      "generator": {
        "date": "2025-11-21T17:57:04+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2016:1594",
      "initial_release_date": "2016-08-10T23:44:08+00:00",
      "revision_history": [
        {
          "date": "2016-08-10T23:44:08+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-08-10T23:44:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:57:04+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
                  "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack-optools:8::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.src",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.src",
                  "product_id": "python-django-0:1.8.14-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
          "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0-OPTOOLS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
          "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0-OPTOOLS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
          "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0-OPTOOLS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2016-6186",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-07-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1355663"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related pop-up. Element.textContent is now used to prevent XSS data execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "django: XSS in admin\u0027s add/change related popup",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src",
          "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "RHBZ#1355663",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-10T23:44:08+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "django: XSS in admin\u0027s add/change related popup"
    }
  ]
}

RHSA-2016:1595

Vulnerability from csaf_redhat - Published: 2016-08-11 00:04 - Updated: 2025-11-21 17:57

Summary

Red Hat Security Advisory: python-django security update

Severity

Moderate

Notes

Topic: An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2016-6186

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2016:1595	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2016-6186	self
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://www.cve.org/CVERecord?id=CVE-2016-6186	external
https://nvd.nist.gov/vuln/detail/CVE-2016-6186	external

Acknowledgments

the upstream Django project

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related popup. Element.textContent is now used to prevent XSS data execution. (CVE-2016-6186)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1595",
        "url": "https://access.redhat.com/errata/RHSA-2016:1595"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1355663",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1595.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:57:05+00:00",
      "generator": {
        "date": "2025-11-21T17:57:05+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2016:1595",
      "initial_release_date": "2016-08-11T00:04:09+00:00",
      "revision_history": [
        {
          "date": "2016-08-11T00:04:09+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-08-11T00:04:09+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:57:05+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
                  "product_id": "7Server-RH7-RHOS-7.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:7::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-doc-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-doc-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-doc-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-doc@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.src",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.src",
                  "product_id": "python-django-0:1.8.14-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-doc-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-doc-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2016-6186",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-07-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1355663"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related pop-up. Element.textContent is now used to prevent XSS data execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "django: XSS in admin\u0027s add/change related popup",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src",
          "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "RHBZ#1355663",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-11T00:04:09+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1595"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "django: XSS in admin\u0027s add/change related popup"
    }
  ]
}

RHSA-2016:1596

Vulnerability from csaf_redhat - Published: 2016-08-11 01:23 - Updated: 2025-11-21 17:57

Summary

Red Hat Security Advisory: python-django security update

Severity

Moderate

Notes

Topic: An update for python-django is now available for Red Hat OpenStack Platform 8.0 (Liberty). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2016-6186

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: 7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.src	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2016:1596	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2016-6186	self
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://www.cve.org/CVERecord?id=CVE-2016-6186	external
https://nvd.nist.gov/vuln/detail/CVE-2016-6186	external

Acknowledgments

the upstream Django project

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-django is now available for Red Hat OpenStack Platform 8.0 (Liberty).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related popup. Element.textContent is now used to prevent XSS data execution. (CVE-2016-6186)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1596",
        "url": "https://access.redhat.com/errata/RHSA-2016:1596"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1355663",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1596.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:57:09+00:00",
      "generator": {
        "date": "2025-11-21T17:57:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2016:1596",
      "initial_release_date": "2016-08-11T01:23:19+00:00",
      "revision_history": [
        {
          "date": "2016-08-11T01:23:19+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-08-11T01:23:19+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:57:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Platform 8.0 (Liberty)",
                "product": {
                  "name": "Red Hat OpenStack Platform 8.0 (Liberty)",
                  "product_id": "7Server-RH7-RHOS-8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:8::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.src",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.src",
                  "product_id": "python-django-0:1.8.14-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.noarch as a component of Red Hat OpenStack Platform 8.0 (Liberty)",
          "product_id": "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.src as a component of Red Hat OpenStack Platform 8.0 (Liberty)",
          "product_id": "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.src"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch as a component of Red Hat OpenStack Platform 8.0 (Liberty)",
          "product_id": "7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2016-6186",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-07-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1355663"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related pop-up. Element.textContent is now used to prevent XSS data execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "django: XSS in admin\u0027s add/change related popup",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.src",
          "7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "RHBZ#1355663",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-11T01:23:19+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1596"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-8.0:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "django: XSS in admin\u0027s add/change related popup"
    }
  ]
}

RHSA-2016_1594

Vulnerability from csaf_redhat - Published: 2016-08-10 23:44 - Updated: 2024-11-14 20:46

Summary

Red Hat Security Advisory: python-django security update

Severity

Moderate

Notes

CVE-2016-6186

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: 7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2016:1594	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2016-6186	self
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://www.cve.org/CVERecord?id=CVE-2016-6186	external
https://nvd.nist.gov/vuln/detail/CVE-2016-6186	external

Acknowledgments

the upstream Django project

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-django is now available for Red Hat OpenStack Platform 8.0 Operational Tools for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related popup. Element.textContent is now used to prevent XSS data execution. (CVE-2016-6186)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1594",
        "url": "https://access.redhat.com/errata/RHSA-2016:1594"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1355663",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1594.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django security update",
    "tracking": {
      "current_release_date": "2024-11-14T20:46:31+00:00",
      "generator": {
        "date": "2024-11-14T20:46:31+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2016:1594",
      "initial_release_date": "2016-08-10T23:44:08+00:00",
      "revision_history": [
        {
          "date": "2016-08-10T23:44:08+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-08-10T23:44:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-14T20:46:31+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
                  "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack-optools:8::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.src",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.src",
                  "product_id": "python-django-0:1.8.14-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
          "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0-OPTOOLS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
          "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0-OPTOOLS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7",
          "product_id": "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-8.0-OPTOOLS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2016-6186",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-07-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1355663"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related pop-up. Element.textContent is now used to prevent XSS data execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "django: XSS in admin\u0027s add/change related popup",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src",
          "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "RHBZ#1355663",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-10T23:44:08+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1594"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-8.0-OPTOOLS:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "django: XSS in admin\u0027s add/change related popup"
    }
  ]
}

RHSA-2016_1595

Vulnerability from csaf_redhat - Published: 2016-08-11 00:04 - Updated: 2024-11-14 20:46

Summary

Red Hat Security Advisory: python-django security update

Severity

Moderate

Notes

CVE-2016-6186

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix
Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch	—	Vendor Fix fix

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2016:1595	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2016-6186	self
https://bugzilla.redhat.com/show_bug.cgi?id=1355663	external
https://www.cve.org/CVERecord?id=CVE-2016-6186	external
https://nvd.nist.gov/vuln/detail/CVE-2016-6186	external

Acknowledgments

the upstream Django project

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related popup. Element.textContent is now used to prevent XSS data execution. (CVE-2016-6186)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1595",
        "url": "https://access.redhat.com/errata/RHSA-2016:1595"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1355663",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1595.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django security update",
    "tracking": {
      "current_release_date": "2024-11-14T20:46:22+00:00",
      "generator": {
        "date": "2024-11-14T20:46:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2016:1595",
      "initial_release_date": "2016-08-11T00:04:09+00:00",
      "revision_history": [
        {
          "date": "2016-08-11T00:04:09+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-08-11T00:04:09+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-14T20:46:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
                  "product_id": "7Server-RH7-RHOS-7.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:7::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-doc-0:1.8.14-1.el7ost.noarch",
                "product": {
                  "name": "python-django-doc-0:1.8.14-1.el7ost.noarch",
                  "product_id": "python-django-doc-0:1.8.14-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-doc@1.8.14-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-0:1.8.14-1.el7ost.src",
                "product": {
                  "name": "python-django-0:1.8.14-1.el7ost.src",
                  "product_id": "python-django-0:1.8.14-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@1.8.14-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:1.8.14-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src"
        },
        "product_reference": "python-django-0:1.8.14-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-doc-0:1.8.14-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
        },
        "product_reference": "python-django-doc-0:1.8.14-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-7.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2016-6186",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-07-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1355663"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A cross-site scripting (XSS) flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript\u0027s Element.innerHTML to forge content in the admin\u0027s add/change related pop-up. Element.textContent is now used to prevent XSS data execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "django: XSS in admin\u0027s add/change related popup",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src",
          "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
          "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "RHBZ#1355663",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1355663"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6186"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-11T00:04:09+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1595"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-0:1.8.14-1.el7ost.src",
            "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.14-1.el7ost.noarch",
            "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.14-1.el7ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "django: XSS in admin\u0027s add/change related popup"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-6186 (GCVE-0-2016-6186)

Tags

Sightings

Nomenclature