Security readout for executives and security teams
Plain-English summary
This is a cross-site scripting flaw in the unsupported django-ucamlookup package, affecting versions 1.9.0 and 1.9.1. A user with access to the lookup function could cause the application to render unsafe script content. Business impact is likely limited, but affected internal Django apps should be upgraded or retired.
Executive priority
Treat as a targeted maintenance issue, not an emergency. Remediate affected systems because the component is unsupported and the fix is available, but prioritize based on whether vulnerable lookup functionality is deployed and user-accessible.
Technical view
CVE-2016-15010 is CWE-79 in the django-ucamlookup Lookup Handler. The CVSS v2 vector is AV:N/AC:L/Au:S/C:N/I:P/A:N, indicating network reachability, low complexity, authenticated access, and partial integrity impact. Version 1.9.2 and commit 5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3 are identified as the fix.
Likely exposure
Exposure is likely limited to organizations running University of Cambridge django-ucamlookup 1.9.0 or 1.9.1 inside Django applications, especially internal directory lookup workflows. The source states the affected product is no longer supported by the maintainer.
Exploitation context
The sources describe remote exploitation and authenticated access requirements, but do not cite active exploitation. The CVE is not listed as KEV in the supplied bundle. Public details are sparse, and the vulnerable internal functionality is not fully described.
Researcher notes
Evidence supports XSS in django-ucamlookup up to 1.9.1 with authenticated network access. The exact vulnerable code path is not detailed in the CVE text beyond the Lookup Handler. Avoid assuming broader Django or University of Cambridge system exposure.
Mitigation direction
- Upgrade django-ucamlookup to version 1.9.2 where still in use.
- Retire or replace the unsupported component if upgrade is not viable.
- Check vendor release and patch references before changing production systems.
- Prioritize apps exposing lookup functionality to authenticated users.
- Document any temporary risk acceptance for unsupported deployments.
Validation and detection
- Inventory Django applications for django-ucamlookup dependency usage.
- Confirm deployed versions are not 1.9.0 or 1.9.1.
- Identify whether the lookup handler is reachable by users.
- Verify version 1.9.2 or the referenced patch is present.
- Review authenticated lookup activity for unusual input patterns.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2016-15010 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 4 (2.0)
- Known Exploited
- No
- Published
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
AV:N/AC:L/Au:S/C:N/I:P/A:N82.9Primary CVE scoreVulnerability scoring details
Base CVSS 2.0 score
4MediumVector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://vuldb.com/?id.217441CVE reference · vdb-entry, technical-description
- https://vuldb.com/?ctiid.217441CVE reference · signature, permissions-required
- https://github.com/uisautomation/django-ucamlookup/commit/5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3CVE reference · patch
- https://github.com/uisautomation/django-ucamlookup/releases/tag/1.9.2CVE reference · patch
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
