Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-12794Cross-site Scripting in Django

CWE-79Cross-site Scripting11 documents9 sources
Severity
6.1MEDIUMNVD
EPSS
17.6%
top 4.90%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Djangoproject Django
Timeline
PublishedSep 7
Latest updateJan 4

Description

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

PyPIdjangoproject/django1.10a11.10.8+1
NVDdjangoproject/django13 versions+12

Patches

Patch: www.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

4
OSV
Django vulnerable to XSS on 500 pages2019-01-04
GHSA
Django vulnerable to XSS on 500 pages2019-01-04
OSV
CVE-2017-12794: In Django 12017-09-07
CVEList
CVE-2017-12794: In Django 12017-09-07

💥Exploits & PoCs

1
Nuclei
Django Debug Page - Cross-Site Scripting

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2018-02-07
Red Hat
python-django: Possible XSS in traceback section of technical 500 debug page2017-09-05
Debian
CVE-2017-12794: python-django - In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was d...2017

💬Community

2
Bugzilla
CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page [fedora-all]2017-09-06
Bugzilla
CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page2017-08-29
CVE-2017-12794 — Cross-site Scripting in Django | cvebase