CVE-2017-12794

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
1.10.0
djangoprojectdjango
1.10.1
djangoprojectdjango
1.10.2
djangoprojectdjango
1.10.3
djangoprojectdjango
1.10.4
djangoprojectdjango
1.10.5
djangoprojectdjango
1.10.6
djangoprojectdjango
1.10.7
djangoprojectdjango
1.11.0
djangoprojectdjango
1.11.1
djangoprojectdjango
1.11.2
djangoprojectdjango
1.11.3
djangoprojectdjango
1.11.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bullseye (security)
2:2.2.28-1~deb11u2
fixed
jessie
not-affected
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
artful
Fixed 1:1.11.4-1ubuntu1.1
released
trusty
not-affected
xenial
not-affected
zesty
not-affected
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/100643
http://www.securitytracker.com/id/1039264
https://usn.ubuntu.com/3559-1/
https://www.djangoproject.com/weblog/2017/sep/05/security-releases/
http://www.securityfocus.com/bid/100643
http://www.securitytracker.com/id/1039264
https://usn.ubuntu.com/3559-1/
https://www.djangoproject.com/weblog/2017/sep/05/security-releases/