CVE-2019-3498

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

References

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ

https://docs.djangoproject.com/en/dev/releases/security/

https://www.debian.org/security/2019/dsa-4363

https://usn.ubuntu.com/3851-1/

https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html

http://www.securityfocus.com/bid/106453

https://lists.fedoraproject.org/archives/list/[email protected]/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/

Details

Source: MITRE

Published: 2019-01-09

Updated: 2021-07-21

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (7 total)

IDNameProductFamilySeverity
122980Fedora 28 : python2-django1.11 (2019-5ad2149e99)NessusFedora Local Security Checks
medium
121196Fedora 28 : python-django (2019-e6ca5847c7)NessusFedora Local Security Checks
medium
121082Fedora 29 : python-django (2019-a7b53ed5a3)NessusFedora Local Security Checks
medium
121063Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : python-django vulnerability (USN-3851-1)NessusUbuntu Local Security Checks
medium
121056Debian DSA-4363-1 : python-django - security updateNessusDebian Local Security Checks
medium
120968FreeBSD : Django -- Content spoofing possibility in the default 404 page (3e41c1a6-10bc-11e9-bd85-fcaa147e860e)NessusFreeBSD Local Security Checks
medium
120962Debian DLA-1629-1 : python-django security updateNessusDebian Local Security Checks
medium