VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-b2ds-36xh-zfhp

Vulnerability ID	VCID-b2ds-36xh-zfhp
Aliases	PYSEC-2019-85
Summary	Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Status	Published
Exploitability	0.5
Weighted Severity	0.0
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
There are no known severity scores.

Reference id	Reference type	URL
		https://docs.djangoproject.com/en/dev/releases/security/
		https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/
		https://security.gentoo.org/glsa/202004-17
		https://security.netapp.com/advisory/ntap-20191217-0003/
		https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
		http://www.openwall.com/lists/oss-security/2019/12/02/1

No exploits are available.

There are no known vectors.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T15:01:17.077235+00:00	PyPI Importer	Import	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.0.0