CVE-2019-3498 — Injection in Django
CWE-74 — InjectionCWE-20 — Improper Input ValidationCWE-99 — Resource Injection12 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
1.4%
top 19.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 9
Latest updateJan 14
Description
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages2 packages
Also affects: Debian Linux 8.0, 9.0, Fedora 28, Ubuntu Linux 14.04, 16.04, 18.04, 18.10