A security issue has been found in Django before version 3.2.4. Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.
A security issue has been found in Django before version 3.2.4. Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33203-potential-directory-traversal-via-admindocs https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9