CVE-2017-12794CVE-2017-12794

Affected configuration(s):

cpe:/a:djangoproject:django:1.10.0
cpe:/a:djangoproject:django:1.10.1
cpe:/a:djangoproject:django:1.10.2
cpe:/a:djangoproject:django:1.10.3
cpe:/a:djangoproject:django:1.10.4
cpe:/a:djangoproject:django:1.10.5
cpe:/a:djangoproject:django:1.10.6
cpe:/a:djangoproject:django:1.10.7
cpe:/a:djangoproject:django:1.11.0
cpe:/a:djangoproject:django:1.11.1
cpe:/a:djangoproject:django:1.11.2
cpe:/a:djangoproject:django:1.11.3
cpe:/a:djangoproject:django:1.11.4

Date published: 2017-09-07T09:29:00.467-04:00

Date last modified: 2017-09-14T14:06:04.507-04:00

CVSS Score: 4.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://www.securityfocus.com/bid/100643

Summary: In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn’t affect most production sites since you shouldn’t run with “DEBUG = True” (which makes this page accessible) in your production settings.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.