CVE-2013-0305

Publication date 20 February 2013

Last updated 24 July 2024

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-django	12.10 quantal	Fixed 1.4.1-2ubuntu0.3
	12.04 LTS precise	Fixed 1.3.1-4ubuntu1.6
	11.10 oneiric	Fixed 1.3-2ubuntu1.6
	10.04 LTS lucid	Fixed 1.1.1-2ubuntu1.8
	8.04 LTS hardy	Ignored

How can I get the fixes?
What do statuses mean?
Patch details

Notes

jdstrand

requires access to the admin interface

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-django	Upstream: 0e7861a Upstream: d3a45e1 Vendor: http://www.debian.org/security/2013/dsa-2634

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1757-1
Django vulnerabilities
7 March 2013

Other references

https://www.djangoproject.com/weblog/2013/feb/19/security/
https://www.cve.org/CVERecord?id=CVE-2013-0305