Description
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Remediation
References
Related Vulnerabilities
PHP Improper Input Validation Vulnerability (CVE-2016-7129)
PostgreSQL Resource Management Errors Vulnerability (CVE-2012-2655)
PHP Other Vulnerability (CVE-2007-0909)
Oracle Application Server Other Vulnerability (CVE-2002-0559)
WordPress Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-14028)