CVE-2016-2048: Users with "change" permission can create objects
(updated )
If a ModelAdmin
uses save_as=True
(not the default), the admin provides an option when editing objects to “Save as new”. A regression prevented that form submission from raising a “Permission Denied” error for users without the “add” permission.
References
Detect and mitigate CVE-2016-2048 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →