製品・ソフトウェアに関する情報

JVN脆弱性詳細

Django の contrib/admin/static/admin/js/admin/RelatedObjectLookups.js におけるクロスサイトスクリプティングの脆弱性

Title	Django の contrib/admin/static/admin/js/admin/RelatedObjectLookups.js におけるクロスサイトスクリプティングの脆弱性
Summary	Django の contrib/admin/static/admin/js/admin/RelatedObjectLookups.js の dismissChangeRelatedObjectPopup 関数には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、Element.innerHTML の安全でない使用に関する問題によって、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 18, 2016, midnight
Registration Date	Aug. 9, 2016, 12:21 p.m.
Last Update	Aug. 9, 2016, 12:21 p.m.

CVSS3.0 : 警告
Score	6.1
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

Debian

Debian GNU/Linux 8.0

Django Software Foundation

Django 1.10rc1 未満の 1.10.x

Django 1.8.14 未満

Django 1.9.8 未満の 1.9.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-6186	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6186
National Vulnerability Database (NVD)
2	CVE-2016-6186	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3622	https://www.debian.org/security/2016/dsa-3622
Django weblog
2	Django security releases issued: 1.10 release candidate 1, 1.9.8, and 1.8.14	https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
GitHub
3	[1.8.x] Fixed XSS in admin's add/change related popup.	https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
4	[1.9.x] Fixed XSS in admin's add/change related popup.	https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158

Change Log

No	Changed Details	Date of change
0	[2016年08月08日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-6186

Summary	Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Publication Date	Aug. 6, 2016, 12:59 a.m.
Registration Date	Jan. 26, 2021, 2:15 p.m.
Last Update	Nov. 21, 2024, 11:55 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:djangoproject:django:1.10:alpha1::::::
cpe:2.3:a:djangoproject:django:1.9.6:::::::*
cpe:2.3:a:djangoproject:django:1.9.0:rc1::::::
cpe:2.3:a:djangoproject:django:1.9.5:::::::*
cpe:2.3:a:djangoproject:django::::::::		1.8.13
cpe:2.3:a:djangoproject:django:1.9.3:::::::*
cpe:2.3:a:djangoproject:django:1.9.4:::::::*
cpe:2.3:a:djangoproject:django:1.9.7:::::::*
cpe:2.3:a:djangoproject:django:1.9.1:::::::*
cpe:2.3:a:djangoproject:django:1.9:::::::*
cpe:2.3:a:djangoproject:django:1.10:beta1::::::
cpe:2.3:a:djangoproject:django:1.9.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html	VDB Entry
2	http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html	VDB Entry
3	http://rhn.redhat.com/errata/RHSA-2016-1594.html
4	http://rhn.redhat.com/errata/RHSA-2016-1594.html
5	http://rhn.redhat.com/errata/RHSA-2016-1595.html
6	http://rhn.redhat.com/errata/RHSA-2016-1595.html
7	http://rhn.redhat.com/errata/RHSA-2016-1596.html
8	http://rhn.redhat.com/errata/RHSA-2016-1596.html
9	http://seclists.org/fulldisclosure/2016/Jul/53	Mailing List Patch
10	http://seclists.org/fulldisclosure/2016/Jul/53	Mailing List Patch
11	http://www.debian.org/security/2016/dsa-3622	Third Party Advisory
12	http://www.debian.org/security/2016/dsa-3622	Third Party Advisory
13	http://www.securityfocus.com/archive/1/538947/100/0/threaded
14	http://www.securityfocus.com/archive/1/538947/100/0/threaded
15	http://www.securityfocus.com/bid/92058
16	http://www.securityfocus.com/bid/92058
17	http://www.securitytracker.com/id/1036338	VDB Entry
18	http://www.securitytracker.com/id/1036338	VDB Entry
19	http://www.ubuntu.com/usn/USN-3039-1	Third Party Advisory
20	http://www.ubuntu.com/usn/USN-3039-1	Third Party Advisory
21	http://www.vulnerability-lab.com/get_content.php?id=1869	Patch Third Party Advisory
22	http://www.vulnerability-lab.com/get_content.php?id=1869	Patch Third Party Advisory
23	https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158	Patch
24	https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158	Patch
25	https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d	Patch
26	https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d	Patch
27	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
28	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
29	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
30	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
31	https://www.djangoproject.com/weblog/2016/jul/18/security-releases/	Patch Vendor Advisory
32	https://www.djangoproject.com/weblog/2016/jul/18/security-releases/	Patch Vendor Advisory
33	https://www.exploit-db.com/exploits/40129/
34	https://www.exploit-db.com/exploits/40129/

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:djangoproject:django:1.10:alpha1::::::
cpe:2.3:a:djangoproject:django:1.9.6:::::::*
cpe:2.3:a:djangoproject:django:1.9.0:rc1::::::
cpe:2.3:a:djangoproject:django:1.9.5:::::::*
cpe:2.3:a:djangoproject:django::::::::		1.8.13
cpe:2.3:a:djangoproject:django:1.9.3:::::::*
cpe:2.3:a:djangoproject:django:1.9.4:::::::*
cpe:2.3:a:djangoproject:django:1.9.7:::::::*
cpe:2.3:a:djangoproject:django:1.9.1:::::::*
cpe:2.3:a:djangoproject:django:1.9:::::::*
cpe:2.3:a:djangoproject:django:1.10:beta1::::::
cpe:2.3:a:djangoproject:django:1.9.2:::::::*