| Vulnerability Name: | CVE-2016-6186 (CCN-115099) | ||||||||||||||||||||||||||||
| Assigned: | 2016-07-19 | ||||||||||||||||||||||||||||
| Published: | 2016-07-19 | ||||||||||||||||||||||||||||
| Updated: | 2018-10-09 | ||||||||||||||||||||||||||||
| Summary: | Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. | ||||||||||||||||||||||||||||
| CVSS v3 Severity: | 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
| ||||||||||||||||||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-79 | ||||||||||||||||||||||||||||
| Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2016-6186 Source: MISC Type: VDB Entry http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html Source: CCN Type: RHSA-2016-1594 Moderate: python-django security update Source: REDHAT Type: UNKNOWN RHSA-2016:1594 Source: CCN Type: RHSA-2016-1595 Moderate: python-django security update Source: REDHAT Type: UNKNOWN RHSA-2016:1595 Source: CCN Type: RHSA-2016-1596 Moderate: python-django security update Source: REDHAT Type: UNKNOWN RHSA-2016:1596 Source: FULLDISC Type: Mailing List, Patch 20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186) Source: DEBIAN Type: Third Party Advisory DSA-3622 Source: BUGTRAQ Type: UNKNOWN 20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186) Source: BID Type: UNKNOWN 92058 Source: CCN Type: BID-92058 Django CMS 'Editor - Snippets' Module HTML Injection Vulnerability Source: SECTRACK Type: VDB Entry 1036338 Source: UBUNTU Type: Third Party Advisory USN-3039-1 Source: MISC Type: Patch, Third Party Advisory http://www.vulnerability-lab.com/get_content.php?id=1869 Source: XF Type: UNKNOWN django-cms-xss(115099) Source: CONFIRM Type: Patch https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 Source: CONFIRM Type: Patch https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d Source: FEDORA Type: UNKNOWN FEDORA-2016-b7e31a0b9a Source: FEDORA Type: UNKNOWN FEDORA-2016-97ca9d52a4 Source: CCN Type: Packet Storm Security [07-19-2016] Django 3.3.0 Script Insertion Source: CCN Type: Django Web Site The Web framework for perfectionists with deadlines | Django Source: CONFIRM Type: Patch, Vendor Advisory https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [07-20-2016] Source: EXPLOIT-DB Type: UNKNOWN 40129 | ||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||