How severe is CVE-2019-19118?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2019-19118?

This is classified as CWE-276, which is a common weakness in software security.

CVE-2019-19118 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)

Related Vulnerabilities

CVE-2017-0369

MEDIUM

CVSS:6.5(Medium)

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it.

CWE-2762017

CVE-2017-1000084

MEDIUM

CVSS:6.5(Medium)

Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in...

CWE-2762017

CVE-2018-13286

MEDIUM

CVSS:6.5(Medium)

Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world re...

CWE-2762018

CVE-2018-13287

MEDIUM

CVSS:6.5(Medium)

Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readab...

CWE-2762018

CVE-2019-10463

MEDIUM

CVSS:6.5(Medium)

A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials...

CWE-2762019

CVE-2019-10469

MEDIUM

CVSS:6.5(Medium)

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credenti...

CWE-2762019