{"id":"CVE-2023-31047","details":"In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.","aliases":["BIT-django-2023-31047","GHSA-r3xc-prgr-mg9p","PYSEC-2023-61"],"modified":"2026-04-10T04:57:31.604668Z","published":"2023-05-07T02:15:08.917Z","related":["MGASA-2023-0165","SUSE-SU-2023:2839-1","openSUSE-SU-2024:12943-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"},{"type":"WEB","url":"https://groups.google.com/forum/#%21forum/django-announce"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230609-0008/"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2023/may/03/security-releases/"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/4.2/releases/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"3591e1c1acbd7c13174275367c3fdf012cb0413b"},{"fixed":"fc42edd2e63e89a80e7ca81486291f74359ef8be"},{"introduced":"ef62a3a68c9d558486145a42c0d71ea9a76add9e"},{"fixed":"dceb634ba42d3a182ea653dce31a529017f75a95"},{"introduced":"0"},{"last_affected":"879e5d587b84e6fc961829611999431778eb9f6a"},{"introduced":"0"},{"last_affected":"6234acb7176a75b4b75d6bc5f48faf4224bbdc63"},{"introduced":"0"},{"last_affected":"e829b0a239cffdeab5781df450a6b0e0026faa2d"}],"database_specific":{"versions":[{"introduced":"3.2"},{"fixed":"3.2.19"},{"introduced":"4.0"},{"fixed":"4.1.9"},{"introduced":"0"},{"last_affected":"4.2-NA"},{"introduced":"0"},{"last_affected":"4.2-b1"},{"introduced":"0"},{"last_affected":"4.2-rc1"}]}}],"versions":["1.0","1.1","1.2","1.2.1","1.3","1.4","1.7a2","3.2","3.2.1","3.2.10","3.2.11","3.2.12","3.2.13","3.2.14","3.2.15","3.2.16","3.2.17","3.2.18","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","3.2a1","3.2b1","3.2rc1","4.1","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1a1","4.1b1","4.1rc1","4.2","4.2a1","4.2b1","4.2rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-31047.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"38"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}