An issue exists in the HTTP FileResponse class in Django 3.2 prior to 3.2.15 and 4.0 prior to 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
djangoproject django |
||
debian debian linux 11.0 |