Improper query string handling in Django
High severity
GitHub Reviewed
Published
Jul 23, 2018
to the GitHub Advisory Database
•
Updated May 19, 2026
Description
Published by the National Vulnerability Database
Jan 10, 2011
Published to the GitHub Advisory Database
Jul 23, 2018
Reviewed
Jun 16, 2020
Last updated
May 19, 2026
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
References