PYSEC-2017-44

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2017-44.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2017-44

Aliases

Published

2017-09-07T13:29:00Z

Modified

2023-11-08T03:58:54.215558Z

Summary

[none]

Details

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.10

Fixed

1.10.8

Introduced

1.11

Fixed

1.11.5

Affected versions

1.*

1.10

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.11

1.11.1

1.11.2

1.11.3

1.11.4