Uploading multiple files using one form field has never been supported by ``forms.FileField`` or ``forms.ImageField`` as only the last uploaded file was validated. Unfortunately, "Uploading multiple files" topic suggested otherwise. In order to avoid the vulnerability, ``ClearableFileInput`` and ``django.forms.FileInput`` form widgets now raise ``ValueError`` when the ``multiple`` HTML attribute is set on them. To prevent the exception and keep the old behavior, set ``allow_multiple_selected`` to ``True``. For more details on using the new attribute and handling of multiple files through a single field, see "Uploading multiple files".
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 2196195] Created python-django3 tracking bugs for this issue: Affects: epel-all [bug 2196196] Affects: fedora-all [bug 2196197]
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2023:4591 https://access.redhat.com/errata/RHSA-2023:4591
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-31047
This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818