Safety vulnerability ID: 55264
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
https://www.djangoproject.com/weblog/2023/may/03/security-releases
Latest version: 5.1.3
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
===========================
*May 3, 2023*
Django 3.2.19 fixes a security issue with severity "low" in 3.2.18.
CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
=================================================================================================
Uploading multiple files using one form field has never been supported by
:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last
uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files`
topic suggested otherwise.
In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput`
and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when
the ``multiple`` HTML attribute is set on them. To prevent the exception and
keep the old behavior, set ``allow_multiple_selected`` to ``True``.
For more details on using the new attribute and handling of multiple files
through a single field, see :ref:`uploading_multiple_files`.
===========================
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application