CVE-2024-23826

MEDIUM Year: 2024
CVSS v3 Score
5.7
Medium
Weakness Type
CWE-770
View all →

Vulnerability Description

spbu_se_site is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is due to no limitation of the length of the filename and the costly use of the Unicode normalization with the form NFKD on Windows OS. This vulnerability was fixed in the 2024.01.29 release.

Related Vulnerabilities

CVE-2024-56374

MEDIUM
CVSS:5.8(Medium)

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a po...

CWE-7702024

CVE-2025-27556

MEDIUM
CVSS:5.8(Medium)

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.Lo...

CWE-7702025

CVE-2022-3456

MEDIUM
CVSS:5.6(Medium)

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.

CWE-7702022

CVE-2025-46687

MEDIUM
CVSS:5.6(Medium)

quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

CWE-7702025

CVE-2017-0771

MEDIUM
CVSS:5.5(Medium)

A denial of service vulnerability in the Android media framework (libskia). Product: Android. Versions: 7.0, 7.1.1, 7.1.2. Android ID: A-37624243.

CWE-7702017

CVE-2017-12132

MEDIUM
CVSS:5.9(Medium)

The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path ...

CWE-7702017