Sage M. Abdullah

**Name of the Vulnerable Software and Affected Versions** Django versions 1.11.x through 1.11.22 Django versions 2.1.x through 2.1.10 Django versions 2.2.x through 2.2.3 **Description** The issue is related to the `django.utils.text.Truncator` class, specifically the `chars()` and `words()` methods. When these methods are passed the `html=True` argument, they can be extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. This vulnerability can be exploited to cause a denial of service. The `chars()` and `words()` methods are used to implement the `truncatechars html` and `truncatewords html` template filters. **Recommendations** For Django versions 1.11.x through 1.11.22, update to version 1.11.23 or later. For Django versions 2.1.x through 2.1.10, update to version 2.1.11 or later. For Django versions 2.2.x through 2.2.3, update to version 2.2.4 or later. As a temporary workaround, consider avoiding the use of the `html=True` argument in the `chars()` and `words()` methods until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.11.x through 1.11.22 Django versions 2.1.x through 2.1.10 Django versions 2.2.x through 2.2.3 **Description** The issue is related to the HTMLParser function in django.utils.html.strip tags, which can be slow to evaluate large input sequences containing incomplete HTML entities. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Django versions 1.11.x through 1.11.22, update to version 1.11.23 or later. For Django versions 2.1.x through 2.1.10, update to version 2.1.11 or later. For Django versions 2.2.x through 2.2.3, update to version 2.2.4 or later.