CVE-2017-12794

MEDIUM NUCLEI

Django Debug Page - Cross-Site Scripting

Title source: nuclei

Description

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Nuclei Templates (1)

Django Debug Page - Cross-Site Scripting

MEDIUMby pikpikcu

Shodan: cpe:"cpe:2.3:a:djangoproject:django"

References (4)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100643

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039264

[Vendor Advisory] https://usn.ubuntu.com/3559-1/

[Patch, Vendor Advisory] https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

Scores

CVSS v3 6.1

EPSS 0.2097

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (14)

djangoproject/django 1.10.0

djangoproject/django 1.10.1

djangoproject/django 1.10.2

djangoproject/django 1.10.3

djangoproject/django 1.10.4

djangoproject/django 1.10.5

djangoproject/django 1.10.6

djangoproject/django 1.10.7

djangoproject/django 1.11.0

djangoproject/django 1.11.1

... and 4 more

Published Sep 07, 2017

Tracked Since Feb 18, 2026