{"id":"CVE-2017-12794","details":"In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.","aliases":["GHSA-9r8w-6x8c-6jr9","PYSEC-2017-44"],"modified":"2026-05-28T04:03:36.279725212Z","published":"2017-09-07T13:29:00.467Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1","openSUSE-SU-2018:0632-1","openSUSE-SU-2023:0077-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","extracted_events":[{"last_affected":"1.10.0"},{"last_affected":"1.11.0"}],"cpes":["cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.11.0:*:*:*:*:*:*:*"],"vendor_product":"djangoproject:django"}]},"references":[{"type":"WEB","url":"https://usn.ubuntu.com/3559-1/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100643"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039264"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"last_affected":"bd97496d07466f3a940e2fcc114b540ca01cd340"},{"last_affected":"e99ebfcc140a5f794e259994f9252cb440459143"},{"last_affected":"46b40274dd44921f72a59771ecb3d2b2c7b3aa0b"},{"last_affected":"4c047e90b62529681dc691bc935036108d6b0324"},{"last_affected":"6157cd6da1b27716e8f3d1ed692a6e33d970ae46"},{"last_affected":"320ec4ed27c254a87e09a70601b1b27ae0a0456e"},{"last_affected":"e75c188d1cd4ddae2726fe6db001f9e9d693b032"},{"last_affected":"2a0d8ae9bd8b0e6f7df4ca060bb072b9b79594e1"},{"last_affected":"ce4edd260bfa790418eea7de0112ce7c16feb304"},{"last_affected":"e793a93bef6408274c81ecf8f39f6549afd3608f"},{"last_affected":"1a34dfcf797640d5d580d261694cb54e6f97c552"}],"database_specific":{"source":"CPE_STRING","cpe":["cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.7:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.11.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.11.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.11.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.11.4:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.10.1"},{"last_affected":"1.10.2"},{"last_affected":"1.10.3"},{"last_affected":"1.10.4"},{"last_affected":"1.10.5"},{"last_affected":"1.10.6"},{"last_affected":"1.10.7"},{"last_affected":"1.11.1"},{"last_affected":"1.11.2"},{"last_affected":"1.11.3"},{"last_affected":"1.11.4"}]}}],"versions":["1.11.4","1.11.3","1.11.2","1.11.1","1.10.7","1.11","1.11rc1","1.10.6","1.11b1","1.11a1","1.10.5","1.10.4","1.10.3","1.10.2","1.10.1","1.10","1.10rc1","1.10b1","1.10a1","1.7a2","1.4","1.3","1.2.1","1.2","1.1","1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12794.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}