PYSEC-2023-61

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-61.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2023-61
Aliases
Published
2023-05-07T02:15:00Z
Modified
2023-12-06T00:47:57.672678Z
Summary
[none]
Details

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2
Fixed
3.2.19
Introduced
4.0
Fixed
4.1.9
Introduced
4.2
Fixed
4.2.1

Affected versions

3.*

3.2a1
3.2b1
3.2rc1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.2.15
3.2.16
3.2.17
3.2.18

4.*

4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.1a1
4.1b1
4.1rc1
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2a1
4.2b1
4.2rc1
4.2