{"id":"CVE-2019-3498","details":"In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.","aliases":["GHSA-337x-4q8g-prc5","PYSEC-2019-17"],"modified":"2026-04-10T04:17:59.795565Z","published":"2019-01-09T23:29:05.387Z","related":["MGASA-2019-0035","MGASA-2019-0040","SUSE-RU-2020:2072-1","SUSE-SU-2019:0483-1","SUSE-SU-2019:1862-1","SUSE-SU-2019:3127-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106453"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3851-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4363"},{"type":"FIX","url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2019/jan/04/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"c669cf279ae7b3e02a61db4fb077030a4db80e4f"},{"fixed":"2c9dbe9226478e3c04cb2ec3bbbf18462ae87efb"},{"introduced":"8c85c8692240e5ae4b568eb4272475fe1fa4b059"},{"fixed":"2b865f4c59411239abbab3f94444d3c42850c2f1"},{"introduced":"df591468251ed489a3e147d7c359f387f4effe66"},{"fixed":"066f26fe8b98609726f7962c21de7233afb4ff7e"}],"database_specific":{"versions":[{"introduced":"1.11"},{"fixed":"1.11.18"},{"introduced":"2.0"},{"fixed":"2.0.10"},{"introduced":"2.1"},{"fixed":"2.1.5"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"last_affected":"28"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3498.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}