[Snyk:Medium] django Arbitrary File Upload (due by 07/09/2023)

[cnlucas]

Introduced through
django@3.2.18, django-haystack@3.1.1 and others
Fixed in
django@3.2.19, @4.1.9, @4.2.1

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › django@3.2.18
Fix: Upgrade django to version 3.2.19 or 4.1.9 or 4.2.1

Introduced through: project@0.0.0 › django-haystack@3.1.1 › django@3.2.18
Fix: Pin django to version 3.2.19 or 4.1.9 or 4.2.1
Introduced through: project@0.0.0 › django-mptt@0.13.4 › django-js-asset@2.0.0 › django@3.2.18
Fix: Pin django to version 3.2.19 or 4.1.9 or 4.2.1

Security information
Factors contributing to the scoring:

Snyk: [CVSS 5.3](https://security.snyk.io/vuln/SNYK-PYTHON-DJANGO-5496950) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Arbitrary File Upload by bypassing of validation of all but the last file when uploading multiple files using a single forms.FileField or forms.ImageField.

Action items:

• Upgrade django to version 3.2.19 or 4.1.9 or 4.2.1
  Completion criteria:
• Vulnerability no longer flagged in snyk

[pkfec]

Merged PR #https://github.com/fecgov/fec-eregs/pull/766/files. Closing this issue