9.8
CVE-2023-31047
- EPSS 0.06%
- Published 07.05.2023 02:15:08
- Last modified 29.01.2025 16:15:42
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Data is provided by the National Vulnerability Database (NVD)
Djangoproject ≫ Django Version >= 3.2 < 3.2.19
Djangoproject ≫ Django Version >= 4.0 < 4.1.9
Djangoproject ≫ Django Version4.2 Update-
Djangoproject ≫ Django Version4.2 Updateb1
Djangoproject ≫ Django Version4.2 Updaterc1
Fedoraproject ≫ Fedora Version38
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.182 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.