Improper Validation of Specified Quantity in Input
CVE-2023-43665
Summary
In Django 1.11.23 through 1.11.29, 2.1 through 2.1.10, 2.2.4 through 2.2.28, 3.0a1 through 3.2.22, 4.0a1 through 4.1.11, 4.2a1 through 4.2.5, and 5.0a1 the "django.utils.text.Truncator chars()" and "words()" methods (when used with "html=True") are subject to a potential DoS (Denial of Service) attack via certain inputs with very long, potentially malformed HTML text. The "chars()" and "words()" methods are used to implement the "truncatechars_html" and "truncatewords_html" template filters, which are thus also vulnerable. NOTE: This issue exists because of an incomplete fix for CVE-2019-14232.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-1284 - Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
References
Advisory Timeline
- Published