Skip to main content

Improper Validation of Specified Quantity in Input


Severity High
Score 7.5/10


In Django 1.11.23 through 1.11.29, 2.1 through 2.1.10, 2.2.4 through 2.2.28, 3.0a1 through 3.2.22, 4.0a1 through 4.1.11, 4.2a1 through 4.2.5, and 5.0a1 the "django.utils.text.Truncator chars()" and "words()" methods (when used with "html=True") are subject to a potential DoS (Denial of Service) attack via certain inputs with very long, potentially malformed HTML text. The "chars()" and "words()" methods are used to implement the "truncatechars_html" and "truncatewords_html" template filters, which are thus also vulnerable. NOTE: This issue exists because of an incomplete fix for CVE-2019-14232.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1284 - Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Advisory Timeline

  • Published