Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.
Created django:1.6/python-django tracking bugs for this issue:
Affects: fedora-29 [bug 1663725]
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1663724]
Affects: fedora-all [bug 1663723]
This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.