Content Spoofing

Affecting django package, versions [,1.11.18) || [2.0.0, 2.0.10) || [2.1.0, 2.1.5)

Do your applications use this vulnerable package? Test your applications

Overview

django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Thanks for checking it out.

Affected versions of this package are vulnerable to Content Spoofing. The default 404 page did not properly handle user-supplied data, an attacker could supply content to the web application, typically via a parameter value, that is reflected back to the user. This presented the user with a modified page under the context of the trusted domain.

Remediation

Upgrade django to version 1.11.18, 2.0.10, 2.1.5 or higher.

References

CVSS Score

4.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Credit
Jerbi Nessim
CVE
CVE-2019-3498
CWE
CWE-148
Snyk ID
SNYK-PYTHON-DJANGO-72888
Disclosed
04 Jan, 2019
Published
08 Jan, 2019