Shai Berger

**Name of the Vulnerable Software and Affected Versions** Django versions prior to 5.2.15 Django versions prior to 6.0.6 **Description** An issue exists in `django.middleware.cache.UpdateCacheMiddleware` where the `Authorization` header is not added to the `Vary` response header for requests that include that header but lack `Cache-Control: public`. This allows remote attackers to access private cached responses by making unauthenticated requests to the same URL. **Recommendations** Update to version 5.2.15 or newer. Update to version 6.0.6 or newer.

**Name of the Vulnerable Software and Affected Versions** xml.dom.minidom (affected versions not specified) **Description** The software experiences a performance issue when constructing deeply nested XML documents using methods like `appendChild()`. This is due to a quadratic algorithm within the ` clear id cache()` function, which is triggered when building nested elements. This can lead to availability impacts when processing excessively complex documents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.26 Django versions 5.1 through 5.1.14 Django versions 5.2 through 5.2.8 **Description** An issue exists in the way Django handles XML input. Specifically, algorithmic complexity within the `django.core.serializers.xml serializer.getInnerText()` function can lead to a denial-of-service condition. A remote attacker could potentially exhaust CPU and memory resources by providing specially crafted XML input to the XML `Deserializer`. **Recommendations** Update to Django version 5.2.9 or later. Update to Django version 5.1.15 or later. Update to Django version 4.2.27 or later.