{"id":"PYSEC-2017-44","details":"In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.","aliases":["CVE-2017-12794","GHSA-9r8w-6x8c-6jr9"],"modified":"2023-11-01T04:47:37.227995Z","published":"2017-09-07T13:29:00Z","references":[{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039264"},{"type":"WEB","url":"http://www.securityfocus.com/bid/100643"},{"type":"WEB","url":"https://usn.ubuntu.com/3559-1/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-9r8w-6x8c-6jr9"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.10"},{"fixed":"1.10.8"},{"introduced":"1.11"},{"fixed":"1.11.5"}]}],"versions":["1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.11","1.11.1","1.11.2","1.11.3","1.11.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2017-44.yaml"}}],"schema_version":"1.7.3"}