Content: Blog

Release, Addons

Security patch for django-filer

Fabian Braun

Fabian Braun

June 13, 2023

The updated release 2.2.5 is now available from our GitHub repository and PyPI.

Details

django filer did not check permissions properly for listing directories, moving files or folders, or uploading files. Effectively, a staff user without any permissions could thereby browse filer's folder tree if they knew the url. This vulnerability would expose the folder tree and the files to a staff user without permissions.

Please see the relevant commits on GitHub for more information about the vulnerability and mitigation.

Thanks to Akshar Tank for the detailed report through our security email.

As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at [email protected]

Please do not use GitHub, our email lists or slack to report, address or otherwise discuss matters relating to security.

blog comments powered by Disqus

Do you want to test django CMS?

Try django CMS

django CMS Association

The association behind django CMS
Email [email protected]

Subscribe to Newsletter

 

Community
Blog
Events
Security
Developers
Documentation
Roadmap
Repository
Issue tracker
Follow us

icon-twitter.png   icon-slack-32.png    icon-github.png   icon-linkedin-32.png

Mastodon

Copyright © 2001 - 2024 Divio AG. BSD Open-Source License.

Django CMS is based on Python and Django

A project backed by the django CMS Association