CVE-2017-12794
Description
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldnt affect most production sites since you shouldnt run with "DEBUG = True" (which makes this page accessible) in your production settings.
Risk Information
Base Score
6.1
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
17.361
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2017-12794 are fixed in Python-django 1.10.8 | Windows |
| Vulnerabilities CVE-2017-12794 are fixed in Python-django 1.11.5 | Windows |
| Vulnerabilities CVE-2017-12794 are fixed in Python-django for linux 1.10.8 | Linux |
| Vulnerabilities CVE-2017-12794 are fixed in Python-django for linux 1.11.5 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234