CVE-2016-6186 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2016-6186 - Medium Severity Vulnerability

Vulnerable Library - Django-1.4.1.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

path: /test1111/requirements.txt

Library home page: https://pypi.python.org/packages/e6/3f/f3e67d9c2572765ffe4268fc7f9997ce3b02e78fd144733f337d72dabb12/Django-1.4.1.tar.gz

Dependency Hierarchy:

• ❌ Django-1.4.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 62fc916d94bd6f0b01520b2422e2421c65cf16e4

Vulnerability Details

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Publish Date: 2016-08-05

URL: CVE-2016-6186

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1036338

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix (1.9.8, and 1.8.14, 1.9.8).

The vendor's advisory is available at:

https://www.djangoproject.com/weblog/2016/jul/18/security-releases/

---

Step up your Open Source Security Game with WhiteSource here