N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pcjh-6r5h-r92r

GHSA-pcjh-6r5h-r92r: django-sendfile2 before 0.7.0 contains reflected file download vulnerability

Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-pcjh-6r5h-r92r

GHSA-pcjh-6r5h-r92r:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django-sendfile2	pip	< 0.7.0	0.7.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in the 'sendfile' function when handling user-supplied filenames. The patch in utils.py adds critical escaping of backslashes (replace('\', '\\')) and quotes (replace('"', r'"')), directly addressing CWE-20. The added test cases in tests.py validate that filenames with injection attempts are now properly escaped. Since the vulnerability manifests when user input flows into the 'attachment_filename' parameter without proper sanitization, and the patch specifically modifies this code path, we can conclusively identify the 'sendfile' function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-pcjh-6r5h-r92r: django-sendfile2 before 0.7.0 contains reflected file download vulnerability

GHSA-pcjh-6r5h-r92r:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

GHSA-pcjh-6r5h-r92r: django-sendfile2 before 0.7.0 contains reflected file download vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI