CVE-2017-12794
published 2017-09-07CVE-2017-12794: In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given…
PriorityP349medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
23.57%
97.5th percentile
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1:1.11.5-1 (bookworm) | python-django 1:1.11.5-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.10a1 < 1.10.8 | 1.10.8 |
| djangoproject | django | >= 1.11a1 < 1.11.5 | 1.11.5 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2018-02-07·CVSS 6.1
CVE-2017-12794 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain requests.
An attacker could possibly use this to access sensitive information.
(CVE-2017-12794, CVE-2018-6188)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Possible XSS in traceback section of technical 500 debug page
vendor_redhat·2017-09-05·CVSS 6.1
CVE-2017-12794 [MEDIUM] CWE-79 python-django: Possible XSS in traceback section of technical 500 debug page
python-django: Possible XSS in traceback section of technical 500 debug page
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Package: Django (Red Hat Ceph Storage 1.3) - Not affected
Package: python-django (Red Hat Ceph Storage 2) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: pytho
Debian
CVE-2017-12794: python-django - In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was d...
vendor_debian·2017·CVSS 6.1
CVE-2017-12794 [MEDIUM] CVE-2017-12794: python-django - In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was d...
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Scope: local
bookworm: resolved (fixed in 1:1.11.5-1)
bullseye: resolved (fixed in 1:1.11.5-1)
forky: resolved (fixed in 1:1.11.5-1)
sid: resolved (fixed in 1:1.11.5-1)
trixie: resolved (fixed in 1:1.11.5-1)
OSV
Django vulnerable to XSS on 500 pages
osv·2019-01-04
CVE-2017-12794 [MEDIUM] Django vulnerable to XSS on 500 pages
Django vulnerable to XSS on 500 pages
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with `DEBUG = True` (which makes this page accessible) in your production settings.
GHSA
Django vulnerable to XSS on 500 pages
ghsa·2019-01-04
CVE-2017-12794 [MEDIUM] CWE-79 Django vulnerable to XSS on 500 pages
Django vulnerable to XSS on 500 pages
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with `DEBUG = True` (which makes this page accessible) in your production settings.
OSV
CVE-2017-12794: In Django 1
osv·2017-09-07·CVSS 6.1
CVE-2017-12794 [MEDIUM] CVE-2017-12794: In Django 1
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
No detection rules found.
Nuclei
Django Debug Page - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2017-12794 [MEDIUM] Django Debug Page - Cross-Site Scripting
Django Debug Page - Cross-Site Scripting
Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. We detected that right circumstances (DEBUG=True) are present to allow a cross-site scripting attack.
Template:
id: CVE-2017-12794
info:
name: Django Debug Page - Cross-Site Scripting
author: pikpikcu
severity: medium
description: |
Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. We detected that right circumstances (DEBUG=True) are present to allow a cross-site scripting attack.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the co
HackerOne
Container scanning and Dependency scanning report leaked to unauthorized users
hackerone·2019-12-13·CVSS 5.0
[MEDIUM] Container scanning and Dependency scanning report leaked to unauthorized users
Container scanning and Dependency scanning report leaked to unauthorized users
Hi GitLab Security team
### Summary
GitLab makes the container scanning and dependency scanning information available as part of a JSON endpoint for merge requests. These reports are output of the CI job and should only be displayed if the visiting user has access to CI. However, right now GitLab displays the the container scanning and dependency scanning reports regardless of this permission, making it available to whoever has access to the merge request.
For public projects, GitLab allows to restrict CI pipelines to project members only (public pipelines disabled). However, in this case, the merge request widget still renders the scanning reports result, which is the outcome of a CI pipeline.
### Steps to
Bugzilla
CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page [fedora-all]
bugzilla·2017-09-06·CVSS 6.1
CVE-2017-12794 [MEDIUM] CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page [fedora-all]
CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page
bugzilla·2017-08-29·CVSS 6.1
CVE-2017-12794 [MEDIUM] CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page
CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page
In older versions, HTML autoescaping was disabled in a portion of the
template for the technical 500 debug page. Given the right
circumstances, this allowed a cross-site scripting attack. This
vulnerability shouldn't affect most production sites since you shouldn't
run with ``DEBUG = True`` (which makes this page accessible) in your
production settings.
Affected versions
* Django master development branch
* Django 1.11
* Django 1.10
Django 1.8 is unaffected and Django 1.9 reached end-of-life in April 2017.
Discussion:
Created attachment 1319747
Patch for Django master
---
Created attachment 1319748
Patch for Django 1.11.x
---
Created attachment 1319749
Patch for Django 1.10.x
---
Externa
arXiv
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
arxiv_fulltext·2020-05-14
DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws
## Abstract
Cross-site scripting (XSS) flaws are a class of security flaws that permit the injection of malicious code into a web application.
In simple situations, these flaws can be caused by missing input sanitizations. Sometimes, however, all application inputs
are sanitized, but the sanitizations are not appropriate for the browser contexts of the sanitized values. Using an incorrect
sanitizer can make the application look protected, when it is in fact vulnerable as if no sanitization was used, creating a context-sensitive XSS flaw.
To discover context-sensitive XSS flaws, we introduce DjangoChecker.
DjangoChecker combines extended dynamic taint tracking with a model browser for context analysis.
We demonstrate the practical application of DjangoChecker on eight mature web applicati
http://www.securityfocus.com/bid/100643http://www.securitytracker.com/id/1039264https://usn.ubuntu.com/3559-1/https://www.djangoproject.com/weblog/2017/sep/05/security-releases/http://www.securityfocus.com/bid/100643http://www.securitytracker.com/id/1039264https://usn.ubuntu.com/3559-1/https://www.djangoproject.com/weblog/2017/sep/05/security-releases/
2017-09-07
Published