CVE-2024-11404: 
Python vulnerability analysis and mitigation

A medium severity vulnerability (CVE-2024-11404) was identified in django-filer versions from 3.0 to versions before 3.3. The vulnerability encompasses multiple security issues including Unrestricted Upload of File with Dangerous Type, Improper Input Validation, and Improper Neutralization of Script-Related HTML Tags in a Web Page, allowing for Input Data Manipulation and Stored XSS attacks (Django CMS Blog, Iltosec Blog).

The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L. The issue manifests in two main ways: an HTML File Upload Bypass where files with .html extension can be uploaded by appending a space (%20) to the filename, and an SVG File Upload Validation Bypass where the validate_svg function can be circumvented using the same technique (Iltosec Blog).

The vulnerabilities allow attackers to upload malicious HTML and SVG files containing scripts that can execute on the client side. This can lead to Cross-Site Scripting (XSS) attacks, potential compromise of user sessions, cookie theft, or unauthorized actions performed on behalf of users. Additionally, binary or unidentified files could be uploaded and downloaded by different users, potentially distributing malware (Iltosec Blog, Django CMS Blog).

The vulnerability has been fixed in django Filer 3.3, which now by default rejects binary files or unknown file types. Users are strongly recommended to update to the latest version. The fix includes improved file upload validation and the ability to configure virus checking for uploaded files through project settings (Django CMS Blog).