ID CVE-2019-3498
Summary In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
References
Vulnerable Configurations
CVSS
Base: None
Impact:
Exploitability:
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4363.NASL
    description It was discovered that malformed URLs could spoof the content of the default 404 page of Django, a Python web development framework.
    last seen 2019-01-16
    modified 2019-01-10
    plugin id 121056
    published 2019-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121056
    title Debian DSA-4363-1 : python-django - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1629.NASL
    description It was discovered that there was a content-spoofing vulnerability in the default 404 pages in the Django web development framework. For more information, please see : https://www.djangoproject.com/weblog/2019/jan/04/security-releases/ For Debian 8 'Jessie', this issue has been fixed in python-django version 1.7.11-1+deb8u4. We recommend that you upgrade your python-django packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-07
    plugin id 120962
    published 2019-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120962
    title Debian DLA-1629-1 : python-django security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3E41C1A610BC11E9BD85FCAA147E860E.NASL
    description Django security releases issued reports : An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.
    last seen 2019-01-16
    modified 2019-01-07
    plugin id 120968
    published 2019-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120968
    title FreeBSD : Django -- Content spoofing possibility in the default 404 page (3e41c1a6-10bc-11e9-bd85-fcaa147e860e)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3851-1.NASL
    description It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-10
    plugin id 121063
    published 2019-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121063
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : python-django vulnerability (USN-3851-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2019-A7B53ED5A3.NASL
    description fix CVE-2019-3498 python-django: Content spoofing via URL path in Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-11
    plugin id 121082
    published 2019-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121082
    title Fedora 29 : python-django (2019-a7b53ed5a3)
refmap via4
bid 106453
debian DSA-4363
misc
mlist [debian-lts-announce] 20190106 [SECURITY] [DLA 1629-1] python-django security update
ubuntu USN-3851-1
Last major update 09-01-2019 - 18:29
Published 09-01-2019 - 18:29
Last modified 10-01-2019 - 06:29
Back to Top