CVE-2019-19118: Incorrect Default Permissions
(updated )
Django allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model’s save()
method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked.
References
Detect and mitigate CVE-2019-19118 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →