In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
09 Jun 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 May 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 May 2023, 16:43
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:djangoproject:django:4.2:-:*:*:*:*:*:* cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* cpe:2.3:a:djangoproject:django:4.2:b1:*:*:*:*:*:* cpe:2.3:a:djangoproject:django:4.2:rc1:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
|
CWE | CWE-20 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (CONFIRM) https://www.djangoproject.com/weblog/2023/may/03/security-releases/ - Vendor Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ - Issue Tracking, Third Party Advisory | |
References | (MISC) https://docs.djangoproject.com/en/4.2/releases/security/ - Vendor Advisory | |
References | (MISC) https://groups.google.com/forum/#!forum/django-announce - Mailing List |
11 May 2023, 05:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 May 2023, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-07 02:15
Updated : 2024-02-04 23:37
NVD link : CVE-2023-31047
Mitre link : CVE-2023-31047
CVE.ORG link : CVE-2023-31047
JSON object : View
Products Affected
fedoraproject
- fedora
djangoproject
- django
CWE
CWE-20
Improper Input Validation