The Django admin in releases 1.1.2, 1.2.3 and earlier have a information leakage vulnerability.
Here is a theoretical setup, similar to the video to explain the vulnerability.
I have a user that has access to the following model for add, change, delete permissions in the admin interface. They are simply a staff user and not a super user. When they log in, they only see a few entries for this model.
created_by = models.ForeignKey(User)
title = models.CharField(max_length=64)
This model registered to the admin without any special ModelAdmin.
Below is an example of how this could be used / abused:
We can extract the exact values using a similar technique to blind sql injection. Keep in mind we don't have to stop at one level, list filters can be chained multiple times.
Depending on the results of the above queries, we would know the next character would be a 0-9 or a-f and then we can split it and narrow it down further, eventually and painfully extracting the entire value.
The advisory from the Django dev team can be found here: Security releases issued