CVE-2017-12794

MEDIUM NUCLEI

Django Debug Page - Cross-Site Scripting

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2017-12794 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Nuclei Templates (1)

Django Debug Page - Cross-Site Scripting
MEDIUMby pikpikcu
Shodan: cpe:"cpe:2.3:a:djangoproject:django"

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3559-1/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100643
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039264
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

Scores

CVSS v3 6.1
EPSS 0.2357
EPSS Percentile 97.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (14)
djangoproject/django 1.10.0
djangoproject/django 1.10.1
djangoproject/django 1.10.2
djangoproject/django 1.10.3
djangoproject/django 1.10.4
djangoproject/django 1.10.5
djangoproject/django 1.10.6
djangoproject/django 1.10.7
djangoproject/django 1.11.0
djangoproject/django 1.11.1
... and 4 more
Published Sep 07, 2017
Tracked Since Feb 18, 2026