py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
by the django.views.defaults.page_not_found() view.
Fixed In Version:
python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
References:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
Patch:
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a
(from redmine: issue id 9832, created on 2019-01-09, closed on 2019-02-19)
- Relations:
- child #9833 (closed)
- child #9834 (closed)
- child #9835 (closed)
- child #9836 (closed)