CVE-2019-3498

Published: 07 January 2019

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
Upstream
Released (1:1.11.18-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:1.11.11-1ubuntu1.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.8.7-1ubuntu5.7)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.6.11-0ubuntu1.3)
Patches:
Upstream: https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a (1.11.x)
Upstream: https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (2.1.x)