View all vulnerabilities

CVE-2022-36359

Django vulnerable to Reflected File Download attack

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
8.7
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Versions
django < 3.2.15; django >= 4.0 < 4.0.7
Severity
High
Ecosystem
Python
Publish Date
August 11, 2022
Modified Date
January 14, 2025