Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
View the template here CVE-2023-47115.yaml
References:
https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development