VYPR
Medium severity6.1NVD Advisory· Published Aug 5, 2016· Updated Jun 17, 2026

CVE-2016-6186

CVE-2016-6186

Description

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DjangoPyPI
< 1.8.141.8.14
DjangoPyPI
>= 1.9, < 1.9.81.9.8
DjangoPyPI
>= 1.10a1, < 1.10rc11.10rc1

Affected products

14
  • cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.8.13
    • cpe:2.3:a:djangoproject:django:1.10:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.10:beta1:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • ghsa-coords
    Range: < 1.8.14

Patches

Vulnerability mechanics

References

28

News mentions

0

No linked articles in our index yet.