[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
by the django.views.defaults.page_not_found() view.
Fixed In Version:
python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
References:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
Patch:
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a
(from redmine: issue id 9835, created on 2019-01-09, closed on 2019-02-19)
- Relations:
- parent #9832 (closed)
- Changesets:
- Revision efea0b28 on 2019-02-04T11:27:46Z:
main/py-django: security upgrade to 1.11.18 (CVE-2019-3498)
Fixes #9835
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information