Content: Blog

Release, Addons

Security patch for django-filer

Fabian Braun

June 13, 2023

The updated release 2.2.5 is now available from our GitHub repository and PyPI.


django filer did not check permissions properly for listing directories, moving files or folders, or uploading files. Effectively, a staff user without any permissions could thereby browse filer's folder tree if they knew the url. This vulnerability would expose the folder tree and the files to a staff user without permissions.

Please see the relevant commits on GitHub for more information about the vulnerability and mitigation.

Thanks to Akshar Tank for the detailed report through our security email.

As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at [email protected]

Please do not use GitHub, our email lists or slack to report, address or otherwise discuss matters relating to security.

blog comments powered by Disqus

Do you want to test django CMS?

Try django CMS