CVE-2017-12794

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-12794
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12794.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-12794
Aliases
Downstream
Related
Published
2017-09-07T13:29:00Z
Modified
2025-09-30T06:57:56.077506Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1a34dfcf797640d5d580d261694cb54e6f97c552
Last affected
2a0d8ae9bd8b0e6f7df4ca060bb072b9b79594e1
Last affected
320ec4ed27c254a87e09a70601b1b27ae0a0456e
Last affected
46b40274dd44921f72a59771ecb3d2b2c7b3aa0b
Last affected
4c047e90b62529681dc691bc935036108d6b0324
Last affected
6157cd6da1b27716e8f3d1ed692a6e33d970ae46
Last affected
bd97496d07466f3a940e2fcc114b540ca01cd340
Last affected
ce4edd260bfa790418eea7de0112ce7c16feb304
Last affected
e75c188d1cd4ddae2726fe6db001f9e9d693b032
Last affected
e793a93bef6408274c81ecf8f39f6549afd3608f
Last affected
e99ebfcc140a5f794e259994f9252cb440459143

Affected versions

1.*

1.0
1.1
1.10
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10a1
1.10b1
1.10rc1
1.11
1.11.1
1.11.2
1.11.3
1.11.4
1.11a1
1.11b1
1.11rc1
1.2
1.2.1
1.3
1.4
1.7a1
1.7a2