N/A

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

N/A

N/A

Django 路径遍历漏洞

Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 存在路径遍历漏洞，该漏洞源于用户可以使用:mod:~django.contrib.admindocs TemplateDetailView 视图来检查任意文件的存在，如果默认admindocs模板已由开发人员自定义以公开文件内容，那么文件内容也将被公开。

N/A

N/A