CVE-2019-3498

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 1.11.x through 1.11.17 Django versions 2.0.x through 2.0.9 Django versions 2.1.x through 2.1.4

Description The issue is related to insufficient neutralization of special elements in output used by a downstream component. This can lead to content spoofing in a 404 error page if a user fails to recognize that a crafted URL has malicious content. The django.views.defaults.page not found() function is specifically affected.

Recommendations For Django versions 1.11.x through 1.11.17, update to version 1.11.18 or later. For Django versions 2.0.x through 2.0.9, update to version 2.0.10 or later. For Django versions 2.1.x through 2.1.4, update to version 2.1.5 or later.

Fix

Special Elements Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-99CWE-20

Related Identifiers

ALT-PU-2019-2367

BDU:2019-01260

CVE-2019-3498

DLA-1629-1

DSA-4363-1

GHSA-337X-4Q8G-PRC5

MGASA-2019-0035

MGASA-2019-0040

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2019-17

SUSE-RU-2020:2072-1

SUSE-SU-2019:0483-1

SUSE-SU-2019:1862-1

SUSE-SU-2019:3127-1

USN-3851-1

Affected Products

Alt Linux

Django

Ubuntu

CVE-2019-3498

Weakness Enumeration

Related Identifiers

Affected Products

References · 224