CVE-2017-12794

Aliases:GHSA-9r8w-6x8c-6jr9PYSEC-2017-44

Advisory lineage Upstream: 0 Downstream: 10

Downstream

ALPINE-CVE-2017-12794 DEBIAN-CVE-2017-12794 OPENSUSE-SU-2018:0632-1 OPENSUSE-SU-2023:0077-1 OPENSUSE-SU-2024:11205-1 OPENSUSE-SU-2024:13887-1

Modified

Published: 07 Sept 2017, 13:00

Last modified:05 Aug 2024, 18:51

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.1 MEDIUM

v3.0 (nvd)

EPSS Score

9.73% LOW

10% probability -7.63%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 Sept 2017, 13:00

Published

Vulnerability first disclosed

05 Aug 2024, 18:51

Last Modified

Vulnerability information updated

Description

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

CVSS Metrics

v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 9.73%• Percentile: 93%

Techniques & Countermeasures

CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

djangoproject•django
1.10.0 | 1.10.1 | 1.10.2 | 1.10.3 | 1.10.4 | 1.10.5 | 1.10.6 | 1.10.7 | 1.11.0 | 1.11.1 | 1.11.2 | 1.11.3 | 1.11.4
PyPI•django
≥ 1.10a1, < 1.10.8 | ≥ 1.11a1, < 1.11.5 | ≥ 1.11, < 1.11.5