VIR Vulnerability Intelligence Relay

CVE-2017-12794

medium
Published 2017-09-07 · Modified 2023-11-08
CVSS v3
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v2
4.3
VIR risk
6.1

Description

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Predictions

Exploit likelihood
71%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-12794

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed1:1.11.5-1
debian debianbullseyefixed1:1.11.5-1
debian debianforkyfixed1:1.11.5-1
debian debiansidfixed1:1.11.5-1
debian debiantrixiefixed1:1.11.5-1

Package impact
EcosystemPackageVulnerableFixed
python PyPIdjango>=1.10a1,<1.10.81.10.8
python PyPIdjango>=1.11a1,<1.11.51.11.5
python PyPIdjango>=1.11,<1.11.51.10.8

Application impact
VendorProductVersionsFixed
djangoprojectdjango1.10.0
djangoprojectdjango1.10.1
djangoprojectdjango1.10.2
djangoprojectdjango1.10.3
djangoprojectdjango1.10.4
djangoprojectdjango1.10.5
djangoprojectdjango1.10.6
djangoprojectdjango1.10.7
djangoprojectdjango1.11.0
djangoprojectdjango1.11.1
djangoprojectdjango1.11.2
djangoprojectdjango1.11.3
djangoprojectdjango1.11.4

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.